Bug 1460611
| Summary: | Binding and connecting to a DCCP socket raises SELinux denials | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED WONTFIX | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.9 | CC: | dwalsh, fabian.deutsch, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-10-02 13:26:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Milos Malik
2017-06-12 08:11:31 UTC
Actual results (permissive mode):
----
type=SYSCALL msg=audit(06/12/2017 04:12:11.955:220) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x3 a1=SOL_SOCKET a2=SO_REUSEADDR a3=0x7ffce414c67c items=0 ppid=1928 pid=2089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/12/2017 04:12:11.955:220) : avc: denied { setopt } for pid=2089 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket
----
type=SYSCALL msg=audit(06/12/2017 04:12:11.867:219) : arch=x86_64 syscall=socket success=yes exit=3 a0=inet a1=SOCK_DCCP a2=dccp a3=0x7ffce414c5a0 items=0 ppid=1928 pid=2089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/12/2017 04:12:11.867:219) : avc: denied { create } for pid=2089 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket
----
type=SYSCALL msg=audit(06/12/2017 04:12:11.955:221) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x3 a1=0x7ffce414c670 a2=0x10 a3=0x7ffce414c67c items=0 ppid=1928 pid=2089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/12/2017 04:12:11.955:221) : avc: denied { node_bind } for pid=2089 comm=gst-launch-0.10 src=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=dccp_socket
type=AVC msg=audit(06/12/2017 04:12:11.955:221) : avc: denied { name_bind } for pid=2089 comm=gst-launch-0.10 src=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket
type=AVC msg=audit(06/12/2017 04:12:11.955:221) : avc: denied { bind } for pid=2089 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket
----
type=SYSCALL msg=audit(06/12/2017 04:12:11.956:222) : arch=x86_64 syscall=getsockopt success=yes exit=0 a0=0x3 a1=SOL_DCCP a2=0xc a3=0x7ffce414c680 items=0 ppid=1928 pid=2089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/12/2017 04:12:11.956:222) : avc: denied { getopt } for pid=2089 comm=gst-launch-0.10 lport=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket
----
type=SYSCALL msg=audit(06/12/2017 04:12:11.956:223) : arch=x86_64 syscall=listen success=yes exit=0 a0=0x3 a1=0x5 a2=0x2 a3=0x7ffce414c66c items=0 ppid=1928 pid=2089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/12/2017 04:12:11.956:223) : avc: denied { listen } for pid=2089 comm=gst-launch-0.10 lport=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket
----
type=SYSCALL msg=audit(06/12/2017 04:12:11.956:224) : arch=x86_64 syscall=accept success=no exit=-4(Interrupted system call) a0=0x3 a1=0x7ffce414c660 a2=0x7ffce414c65c a3=0x7ffce414c66c items=0 ppid=1928 pid=2089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/12/2017 04:12:11.956:224) : avc: denied { accept } for pid=2089 comm=gst-launch-0.10 lport=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket
----
# cat example.c
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <netinet/in.h>
void main (void) {
int sockfd;
if ((sockfd = socket(AF_INET, SOCK_DCCP, IPPROTO_DCCP)) < 0) {
perror("socket");
exit(1);
}
}
# gcc -o example example.c
# ./example
socket: Permission denied
# ausearch -m avc -i
----
type=SYSCALL msg=audit(06/12/2017 04:15:18.404:226) : arch=x86_64 syscall=socket success=no exit=-13(Permission denied) a0=inet a1=SOCK_DCCP a2=dccp a3=0x7ffdaa9ed660 items=0 ppid=1928 pid=3683 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=example exe=/root/example subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/12/2017 04:15:18.404:226) : avc: denied { create } for pid=3683 comm=example scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket
----
# sesearch -c dccp_socket -A -C --dontaudit
#
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. The official life cycle policy can be reviewed here: http://redhat.com/rhel/lifecycle This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL: https://access.redhat.com |