Bug 213062

Summary: [labeled networking] NetLabel does not protect against setsockopt()
Product: Red Hat Enterprise Linux 5 Reporter: Paul Moore <paul.moore>
Component: kernelAssignee: Eric Paris <eparis>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: iboverma, linda.knippers
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: beta2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-12-23 01:53:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Simple test program none

Description Paul Moore 2006-10-30 18:23:30 UTC 
Description of problem:
Currently SELinux policies do not prevent most applications from calling
setsockopt() which puts the NetLabel security attributes at risk from tampering
by unprivileged applications.  A patch has been posted to the netdev and SELinux
mailing lists which addresses this problem by preventing applications from
removing NetLabel security attributes from a socket as well as requiring the
CAP_NET_RAW capability to set a CIPSO option on a socket.  The patch can be
found here:

 * http://marc.theaimsgroup.com/?l=linux-netdev&m=116223202106768&w=2

I am also attaching a simple test program which demonstrates the problem.

Version-Release number of selected component (if applicable):
All current RHEL5 kernels with NetLabel enabled.

How reproducible:
N/A

Steps to Reproduce:
1. N/A
2.
3.
  
Actual results:
N/A

Expected results:
N/A

Additional info:
This directly effects the LSPP efforts of RH, HP, and IBM.
Comment 1 Paul Moore 2006-10-30 18:23:30 UTC 
Created attachment 139738 [details]
Simple test program
Comment 2 Eric Paris 2006-11-10 17:33:06 UTC 
patch posted for rhel5 kernel inclusion Nov 10
Comment 3 Jay Turner 2006-11-21 19:15:30 UTC 
QE ack for RHEL5.
Comment 4 Don Zickus 2006-12-05 19:51:39 UTC 
in 2.6.18-1.2817.el5
Comment 5 RHEL Program Management 2006-12-23 01:53:32 UTC 
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.