Bug 1459941
Summary: | Binding and connecting to a DCCP socket raises SELinux denials | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.4 | CC: | fabian.deutsch, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-175.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | 704573 | Environment: | |
Last Closed: | 2018-04-10 12:32:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Milos Malik
2017-06-08 15:56:01 UTC
Actual results (permissive mode): ---- type=SYSCALL msg=audit(06/08/2017 17:59:54.884:355) : arch=x86_64 syscall=listen success=yes exit=0 a0=0x3 a1=0x5 a2=0x0 a3=0x7ffeffc8625c items=0 ppid=2615 pid=5345 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts0 ses=1 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/08/2017 17:59:54.884:355) : avc: denied { listen } for pid=5345 comm=gst-launch-0.10 lport=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket ---- type=AVC msg=audit(06/08/2017 17:59:54.884:356) : avc: denied { accept } for pid=5345 comm=gst-launch-0.10 lport=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket ---- type=SOCKADDR msg=audit(06/08/2017 17:59:54.879:354) : saddr={ fam=inet laddr=0.0.0.0 lport=5001 } type=SYSCALL msg=audit(06/08/2017 17:59:54.879:354) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x3 a1=0x7ffeffc86260 a2=0x10 a3=0x7ffeffc86274 items=0 ppid=2615 pid=5345 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts0 ses=1 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/08/2017 17:59:54.879:354) : avc: denied { bind } for pid=5345 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket ---- type=SYSCALL msg=audit(06/08/2017 18:00:13.016:373) : arch=x86_64 syscall=socket success=yes exit=5 a0=inet a1=SOCK_DCCP a2=dccp a3=0x0 items=0 ppid=5360 pid=5468 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts2 ses=1 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/08/2017 18:00:13.016:373) : avc: denied { create } for pid=5468 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket ---- type=SYSCALL msg=audit(06/08/2017 18:00:13.022:374) : arch=x86_64 syscall=getsockopt success=yes exit=0 a0=0x5 a1=SOL_DCCP a2=0xc a3=0x7ffcae0e2420 items=0 ppid=5360 pid=5468 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts2 ses=1 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/08/2017 18:00:13.022:374) : avc: denied { getopt } for pid=5468 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket ---- type=SYSCALL msg=audit(06/08/2017 18:00:13.026:375) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x5 a1=SOL_DCCP a2=0xd a3=0x7ffcae0e240c items=0 ppid=5360 pid=5468 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts2 ses=1 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/08/2017 18:00:13.026:375) : avc: denied { setopt } for pid=5468 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket ---- type=SOCKADDR msg=audit(06/08/2017 18:00:13.026:376) : saddr={ fam=inet laddr=127.0.0.1 lport=5001 } type=SYSCALL msg=audit(06/08/2017 18:00:13.026:376) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x5 a1=0x7ffcae0e2410 a2=0x10 a3=0x7ffcae0e240c items=0 ppid=5360 pid=5468 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts2 ses=1 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/08/2017 18:00:13.026:376) : avc: denied { connect } for pid=5468 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket ---- type=SYSCALL msg=audit(06/08/2017 18:00:13.035:378) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x5 a1=TIOCINQ a2=0x7fbb05bd3afc a3=0x0 items=0 ppid=5360 pid=5468 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts2 ses=1 comm=dccpclientsrc0: exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/08/2017 18:00:13.035:378) : avc: denied { getattr } for pid=5468 comm=dccpclientsrc0: path=socket:[69680] dev="sockfs" ino=69680 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket ---- type=SYSCALL msg=audit(06/08/2017 18:00:13.035:377) : arch=x86_64 syscall=sendmsg success=yes exit=2613 a0=0x4 a1=0x7f54f3ffee90 a2=0x0 a3=0x7f54f3fff9d0 items=0 ppid=2615 pid=5345 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts0 ses=1 comm=videotestsrc0:s exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/08/2017 18:00:13.035:377) : avc: denied { write } for pid=5345 comm=videotestsrc0:s laddr=127.0.0.1 lport=5001 faddr=127.0.0.1 fport=58168 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket ---- type=SYSCALL msg=audit(06/08/2017 18:00:13.035:379) : arch=x86_64 syscall=recvmsg success=yes exit=2613 a0=0x5 a1=0x7fbb05bd3b10 a2=0x0 a3=0x59 items=0 ppid=5360 pid=5468 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts2 ses=1 comm=dccpclientsrc0: exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/08/2017 18:00:13.035:379) : avc: denied { read } for pid=5468 comm=dccpclientsrc0: laddr=127.0.0.1 lport=58168 faddr=127.0.0.1 fport=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket ---- # cat example.c #include <sys/types.h> #include <sys/socket.h> #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <netinet/in.h> void main (void) { int sockfd; if ((sockfd = socket(AF_INET, SOCK_DCCP, IPPROTO_DCCP)) < 0) { perror("socket"); exit(1); } } # gcc -o example example.c # ./example socket: Permission denied # ausearch -m avc -i ---- type=PROCTITLE msg=audit(06/12/2017 03:31:10.925:317) : proctitle=./example type=SYSCALL msg=audit(06/12/2017 03:31:10.925:317) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=inet a1=SOCK_DCCP a2=dccp a3=0x7ffed4125da0 items=0 ppid=10432 pid=25206 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=example exe=/root/example subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/12/2017 03:31:10.925:317) : avc: denied { create } for pid=25206 comm=example scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket ---- # sesearch -c dccp_socket -A -C -D Found 8 semantic av rules: allow corenet_unconfined_type node_type : dccp_socket node_bind ; allow netlabel_peer_type netlabel_peer_t : dccp_socket recvfrom ; allow domain unconfined_domain_type : dccp_socket recvfrom ; allow domain netlabel_peer_t : dccp_socket recvfrom ; allow corenet_unlabeled_type unlabeled_t : dccp_socket recvfrom ; allow corenet_unconfined_type port_type : dccp_socket { recv_msg send_msg name_bind name_connect } ; allow unconfined_domain_type netlabel_peer_t : dccp_socket recvfrom ; allow unconfined_domain_type domain : dccp_socket recvfrom ; # Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763 |