Bug 164165
Summary: | enabling SELinux prevents Java app from using TCP sockets | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Igor Wawrzyniak <igor.wawrzyniak> | ||||||
Component: | kernel | Assignee: | James Morris <jmorris> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||||
Severity: | low | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 4 | CC: | davej, noa, sdsmall, wtogami | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | i386 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2005-08-30 01:52:23 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Igor Wawrzyniak
2005-07-25 15:37:17 UTC
Created attachment 117123 [details]
strace log from both working and not working configuration
selinux_socket_connect (security/selinux/hooks.c) checks the addrlen prior to extracting the port number for the name_connect permission check. In the INET6 case, it compares it with sizeof(struct sockaddr_in6) and returns -EINVAL if it doesn't match. Per the strace log, the passed in size to connect(2) was only 24, but sizeof(struct sockaddr_in6) on x86 is 28. Is passing in a shorter addrlen legal? Are you able to provide the source to the section of code being traced here? Ah, I see. tcp_v6_connect only requires addrlen to be >= SIN6_LEN_RFC2133, which is 24. tcp_v4_connect requires addrlen to be >= sizeof(sockaddr_in). selinux_socket_connect needs to be fixed accordingly. (In reply to comment #3) > Are you able to provide the source to the section of code being traced here? I'll try, but it'll take a few days. I don't think source is needed; the bug lies in selinux_socket_connect imposing greater restrictions on addrlen than the underlying ipv6 code does. Also, the check in the ipv4 case should be weakened to not require strict equality; we should just be consistent with the underlying ipv4 code there. Created attachment 117228 [details]
Fix addrlen checks in selinux_socket_connect
(In reply to comment #7) > Created an attachment (id=117228) [edit] > Fix addrlen checks in selinux_socket_connect > Looks good to me. Ok, submitted to Andrew Morton and lkml. (In reply to comment #7) > Created an attachment (id=117228) [edit] > Fix addrlen checks in selinux_socket_connect It works. Thanks. fixed in cvs. *** Bug 163006 has been marked as a duplicate of this bug. *** |