Bug 227720

Summary: SELinux policy doesn't allow bind(2) on raw sockets
Product: Red Hat Enterprise Linux 5 Reporter: Bhavesh Davda <bhavesh.davda>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: urgent Docs Contact:
Priority: medium    
Version: 5.0CC: dwalsh, jlo, srihan
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RC Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-16 14:26:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Test mini-app that shows bind(2) failure with SELinux none

Description Bhavesh Davda 2007-02-07 18:55:57 UTC 
Description of problem:

When trying to bind(2) to INADDR_ANY on a SOCK_RAW/IPPROTO_ICMP socket, I get
errno=-EACCES, when SELinux is configured as "targeted".

Version-Release number of selected component (if applicable):


How reproducible:

100% reproducible.

Steps to Reproduce:
1. Compile and run the attached test mini-app.
2. With SELinux completely disabled, the mini-app succeeds to bind(2).
3. With SELinux enabled, the mini-app fails to bind(2) with errno=-EACCES.
  
Actual results:

bind(2) fails.

Expected results:

bind(2) succeeds.

Additional info:

This seems to be an arbitrary policy to disallow a process running as root to
bind(2) a raw socket. I can't imagine any customer requiring such a
configuration, because it's not like you can DoS a host by allowing an
application running as root to bind a raw socket to INADDR_ANY.
Comment 1 Bhavesh Davda 2007-02-07 18:55:57 UTC 
Created attachment 147587 [details]
Test mini-app that shows bind(2) failure with SELinux
Comment 2 Daniel Walsh 2007-02-14 15:33:21 UTC 
Are you seeing avc messages in /var/log/audit/audit.log or /var/log/messages
Comment 3 Bhavesh Davda 2007-02-15 17:27:02 UTC 
Yup:

/var/log/audit/audit.log:

type=AVC msg=audit(1171573264.718:343): avc:  denied  { node_bind } for 
pid=7173 comm="bindicmp" scontext=root:system_r:unconfined_t:s0-s0:c0.c255
tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=rawip_socket
type=SYSCALL msg=audit(1171573264.718:343): arch=40000003 syscall=102 success=no
exit=-13 a0=2 a1=ffb37cc0 a2=48923ff4 a3=487e7ca0 items=0 ppid=7136 pid=7173
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5
comm="bindicmp" exe="/root/bindicmp"
subj=root:system_r:unconfined_t:s0-s0:c0.c255 key=(null)
type=SOCKADDR msg=audit(1171573264.718:343): saddr=0200000000000000087DB3FFA2840408

Nothing interesting in /var/log/messages.
Comment 4 Daniel Walsh 2007-02-15 20:36:30 UTC 
Which policy are you seeing this with.   

selinux-policy-2.4.6-32.el5 allows this.

Dan
Comment 5 Bhavesh Davda 2007-02-15 20:40:55 UTC 
I've got selinux-policy-2.3.3-22 installed. 

/etc/redhat-release: Red Hat Enterprise Linux Server release 4.91 (Tikanga)

BTW, how do I figure out what's allowed and what's not as far as SELinux kernel
policies are concerned? i.e. how do I decode
/etc/selinux/targeted/modules/active/policy.kern?

Thanks.
Comment 6 Daniel Walsh 2007-02-16 14:26:52 UTC 
Please update policy and see if the problem goes away.
You can find the latest policy on http://people.redhat.com/dwalsh/SELinux/RHEL5

If you have setools installed, you can use apol and seinfo to look at the way
policy is constructed.  But it will not be easy to understand.  The goal is to
let every confined process to have all the access they need to get their job
done, and  no more.  unconfined domains should be allowed to do everything they
could do without SELinux installed.  (unconfined_t, initrc_t, inetd_t)

ps -eZ Will show you the security context of all processes running on your system.