Bug 1460648
| Summary: | the bind_ports plugin does not produce any report when matching AVC appears | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> |
| Component: | setroubleshoot-plugins | Assignee: | Vit Mojzis <vmojzis> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.4 | CC: | lvrabec, mgrepl, mmalik, plautrba |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-30 09:47:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The AVC in bug description should not trigger the connect_ports plugin since there needs to be at least one "allowed target type" for the source domain (type to which the domain has access to). Otherwise the suggestion is not valid.
#sesearch -A -p name_bind -s auditctl_t -C
None
The plugin works properly with the following AVC:
type=AVC msg=audit(1533554112.594:1026): avc: denied { name_bind } for pid=8115 comm="nc" dest=789 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
Current "correct" behaviour is actually caused by an exception in "allowed_target_types" (triggered when search() returns None)
line:
wtypes = [x[TARGET] for x in [y for y in search([ALLOW], {SOURCE: self.scontext.type, CLASS: self.tclass, PERMS: self.access}) if y["enabled"]]]
which should be handled properly.
The following patch should fix the issue:
https://github.com/fedora-selinux/setroubleshoot/pull/73
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3101 |
Description of problem: * the output of sealert -l '*' does not contain any report from the bind_ports plugin, even if the right AVC appeared (AVC that matched conditions of the plugin) Version-Release number of selected component (if applicable): setroubleshoot-server-3.2.28-3.el7.x86_64 setroubleshoot-plugins-3.0.65-1.el7.noarch How reproducible: * always Steps to Reproduce: # seinfo --portcon=789 portcon tcp 512-1023 system_u:object_r:hi_reserved_port_t:s0 portcon udp 512-1023 system_u:object_r:hi_reserved_port_t:s0 # sesearch -s auditctl_t -t hi_reserved_port_t -c tcp_socket -p name_bind -A -C -D # setenforce 0 # runcon system_u:system_r:auditctl_t:s0 bash -c 'nc -l localhost 789' ^C # setenforce 1 # ausearch -m avc -i -ts recent # only showing the right AVC ---- type=PROCTITLE msg=audit(06/12/2017 06:32:27.642:430) : proctitle=bash -c nc -l localhost 789 type=SYSCALL msg=audit(06/12/2017 06:32:27.642:430) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x3 a1=0x658c60 a2=0x80 a3=0x7fff3ce4f820 items=0 ppid=9122 pid=27723 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=nc exe=/usr/bin/ncat subj=system_u:system_r:auditctl_t:s0 key=(null) type=AVC msg=audit(06/12/2017 06:32:27.642:430) : avc: denied { net_bind_service } for pid=27723 comm=nc capability=net_bind_service scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:system_r:auditctl_t:s0 tclass=capability type=AVC msg=audit(06/12/2017 06:32:27.642:430) : avc: denied { node_bind } for pid=27723 comm=nc saddr=::1 src=789 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket type=AVC msg=audit(06/12/2017 06:32:27.642:430) : avc: denied { name_bind } for pid=27723 comm=nc src=789 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(06/12/2017 06:32:27.642:430) : avc: denied { bind } for pid=27723 comm=nc scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:system_r:auditctl_t:s0 tclass=tcp_socket ---- Actual results: # sealert -l '*' | grep -i plugin ***** Plugin catchall (100. confidence) suggests ************************** ***** Plugin catchall (100. confidence) suggests ************************** ***** Plugin catchall (100. confidence) suggests ************************** ***** Plugin catchall (100. confidence) suggests ************************** ***** Plugin catchall (100. confidence) suggests ************************** ***** Plugin catchall (100. confidence) suggests ************************** ***** Plugin catchall (100. confidence) suggests ************************** ***** Plugin catchall (100. confidence) suggests ************************** ***** Plugin catchall (100. confidence) suggests ************************** # Expected results: * at least 1 report comes from the bind_ports plugin