Bug 164165

Summary: enabling SELinux prevents Java app from using TCP sockets
Product: [Fedora] Fedora Reporter: Igor Wawrzyniak <igor.wawrzyniak>
Component: kernelAssignee: James Morris <jmorris>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: low Docs Contact:
Priority: medium    
Version: 4CC: davej, noa, sdsmall, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-30 01:52:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
strace log from both working and not working configuration
none
Fix addrlen checks in selinux_socket_connect none

Description Igor Wawrzyniak 2005-07-25 15:37:17 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6

Description of problem:
The Java app I'm using can't use TCP sockets when SELinux is enabled. It happens regardless of the mode (permissive or enforcing) or policy (strict or targeted). No message appears in syslog. I was told on fedora-selinux mailing list that it's possibly a bug in the kernel and I should report it here. Simply rebooting the system with SELinux disabled makes the app work, enabling SELinux makes the problem occur again.

The bug seems to be triggered by very specific software configuration: the app I'm using and specific JRE versions (with some JREs the app is running fine). Unfortunately, the app is not free, so if you need more information you have to ask me.

I run the app using strace with SELinux disabled and enabled. The relevant part of strace log is attached.

Version-Release number of selected component (if applicable):
kernel-2.6.12-1.1398_FC4 and kernel-2.6.11-1.1398_FC4

How reproducible:
Always

Steps to Reproduce:
1) Run the app
2) Enter IP address of the server


Actual Results:  Error message "cannot assign requested address". See strace log for more details.

Expected Results:  The app should connect to server using TCP. See strace log for more details.

Additional info:
Comment 1 Igor Wawrzyniak 2005-07-25 15:39:04 UTC 
Created attachment 117123 [details]
strace log from both working and not working configuration
Comment 2 Stephen Smalley 2005-07-28 12:56:18 UTC 
selinux_socket_connect (security/selinux/hooks.c) checks the addrlen prior
to extracting the port number for the name_connect permission check.  In the
INET6 case, it compares it with sizeof(struct sockaddr_in6) and returns -EINVAL
if it doesn't match.  Per the strace log, the passed in size to connect(2) was
only 24, but sizeof(struct sockaddr_in6) on x86 is 28.  Is passing in a shorter
addrlen legal?
Comment 3 James Morris 2005-07-28 13:00:55 UTC 
Are you able to provide the source to the section of code being traced here?
Comment 4 Stephen Smalley 2005-07-28 13:05:37 UTC 
Ah, I see.  tcp_v6_connect only requires addrlen to be >= SIN6_LEN_RFC2133, which
is 24.  tcp_v4_connect requires addrlen to be >= sizeof(sockaddr_in).

selinux_socket_connect needs to be fixed accordingly.
Comment 5 Igor Wawrzyniak 2005-07-28 13:17:44 UTC 
(In reply to comment #3)
> Are you able to provide the source to the section of code being traced here?

I'll try, but it'll take a few days.
Comment 6 Stephen Smalley 2005-07-28 13:23:41 UTC 
I don't think source is needed; the bug lies in selinux_socket_connect imposing
greater restrictions on addrlen than the underlying ipv6 code does.  Also, the
check in the ipv4 case should be weakened to not require strict equality; we
should just be consistent with the underlying ipv4 code there.
Comment 7 Stephen Smalley 2005-07-28 13:33:09 UTC 
Created attachment 117228 [details]
Fix addrlen checks in selinux_socket_connect
Comment 8 James Morris 2005-07-28 16:23:45 UTC 
(In reply to comment #7)
> Created an attachment (id=117228) [edit]
> Fix addrlen checks in selinux_socket_connect
> 

Looks good to me.
Comment 9 Stephen Smalley 2005-07-28 20:20:59 UTC 
Ok, submitted to Andrew Morton and lkml.
Comment 10 Igor Wawrzyniak 2005-07-29 08:20:26 UTC 
(In reply to comment #7)
> Created an attachment (id=117228) [edit]
> Fix addrlen checks in selinux_socket_connect

It works. Thanks.
Comment 11 Dave Jones 2005-08-03 22:22:21 UTC 
fixed in cvs.
Comment 12 Archit Shah 2005-08-25 19:50:23 UTC 
*** Bug 163006 has been marked as a duplicate of this bug. ***