Bug 1460611
Summary: | Binding and connecting to a DCCP socket raises SELinux denials | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED WONTFIX | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.9 | CC: | dwalsh, fabian.deutsch, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-10-02 13:26:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Milos Malik
2017-06-12 08:11:31 UTC
Actual results (permissive mode): ---- type=SYSCALL msg=audit(06/12/2017 04:12:11.955:220) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x3 a1=SOL_SOCKET a2=SO_REUSEADDR a3=0x7ffce414c67c items=0 ppid=1928 pid=2089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/12/2017 04:12:11.955:220) : avc: denied { setopt } for pid=2089 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket ---- type=SYSCALL msg=audit(06/12/2017 04:12:11.867:219) : arch=x86_64 syscall=socket success=yes exit=3 a0=inet a1=SOCK_DCCP a2=dccp a3=0x7ffce414c5a0 items=0 ppid=1928 pid=2089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/12/2017 04:12:11.867:219) : avc: denied { create } for pid=2089 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket ---- type=SYSCALL msg=audit(06/12/2017 04:12:11.955:221) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x3 a1=0x7ffce414c670 a2=0x10 a3=0x7ffce414c67c items=0 ppid=1928 pid=2089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/12/2017 04:12:11.955:221) : avc: denied { node_bind } for pid=2089 comm=gst-launch-0.10 src=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=dccp_socket type=AVC msg=audit(06/12/2017 04:12:11.955:221) : avc: denied { name_bind } for pid=2089 comm=gst-launch-0.10 src=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket type=AVC msg=audit(06/12/2017 04:12:11.955:221) : avc: denied { bind } for pid=2089 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket ---- type=SYSCALL msg=audit(06/12/2017 04:12:11.956:222) : arch=x86_64 syscall=getsockopt success=yes exit=0 a0=0x3 a1=SOL_DCCP a2=0xc a3=0x7ffce414c680 items=0 ppid=1928 pid=2089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/12/2017 04:12:11.956:222) : avc: denied { getopt } for pid=2089 comm=gst-launch-0.10 lport=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket ---- type=SYSCALL msg=audit(06/12/2017 04:12:11.956:223) : arch=x86_64 syscall=listen success=yes exit=0 a0=0x3 a1=0x5 a2=0x2 a3=0x7ffce414c66c items=0 ppid=1928 pid=2089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/12/2017 04:12:11.956:223) : avc: denied { listen } for pid=2089 comm=gst-launch-0.10 lport=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket ---- type=SYSCALL msg=audit(06/12/2017 04:12:11.956:224) : arch=x86_64 syscall=accept success=no exit=-4(Interrupted system call) a0=0x3 a1=0x7ffce414c660 a2=0x7ffce414c65c a3=0x7ffce414c66c items=0 ppid=1928 pid=2089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/12/2017 04:12:11.956:224) : avc: denied { accept } for pid=2089 comm=gst-launch-0.10 lport=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket ---- # cat example.c #include <sys/types.h> #include <sys/socket.h> #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <netinet/in.h> void main (void) { int sockfd; if ((sockfd = socket(AF_INET, SOCK_DCCP, IPPROTO_DCCP)) < 0) { perror("socket"); exit(1); } } # gcc -o example example.c # ./example socket: Permission denied # ausearch -m avc -i ---- type=SYSCALL msg=audit(06/12/2017 04:15:18.404:226) : arch=x86_64 syscall=socket success=no exit=-13(Permission denied) a0=inet a1=SOCK_DCCP a2=dccp a3=0x7ffdaa9ed660 items=0 ppid=1928 pid=3683 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=example exe=/root/example subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/12/2017 04:15:18.404:226) : avc: denied { create } for pid=3683 comm=example scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket ---- # sesearch -c dccp_socket -A -C --dontaudit # Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. The official life cycle policy can be reviewed here: http://redhat.com/rhel/lifecycle This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL: https://access.redhat.com |