Bug 227720
Summary: | SELinux policy doesn't allow bind(2) on raw sockets | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Bhavesh Davda <bhavesh.davda> | ||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||
Severity: | urgent | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 5.0 | CC: | dwalsh, jlo, srihan | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | RC | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-02-16 14:26:52 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Bhavesh Davda
2007-02-07 18:55:57 UTC
Created attachment 147587 [details]
Test mini-app that shows bind(2) failure with SELinux
Are you seeing avc messages in /var/log/audit/audit.log or /var/log/messages Yup: /var/log/audit/audit.log: type=AVC msg=audit(1171573264.718:343): avc: denied { node_bind } for pid=7173 comm="bindicmp" scontext=root:system_r:unconfined_t:s0-s0:c0.c255 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=rawip_socket type=SYSCALL msg=audit(1171573264.718:343): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=ffb37cc0 a2=48923ff4 a3=487e7ca0 items=0 ppid=7136 pid=7173 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 comm="bindicmp" exe="/root/bindicmp" subj=root:system_r:unconfined_t:s0-s0:c0.c255 key=(null) type=SOCKADDR msg=audit(1171573264.718:343): saddr=0200000000000000087DB3FFA2840408 Nothing interesting in /var/log/messages. Which policy are you seeing this with. selinux-policy-2.4.6-32.el5 allows this. Dan I've got selinux-policy-2.3.3-22 installed. /etc/redhat-release: Red Hat Enterprise Linux Server release 4.91 (Tikanga) BTW, how do I figure out what's allowed and what's not as far as SELinux kernel policies are concerned? i.e. how do I decode /etc/selinux/targeted/modules/active/policy.kern? Thanks. Please update policy and see if the problem goes away. You can find the latest policy on http://people.redhat.com/dwalsh/SELinux/RHEL5 If you have setools installed, you can use apol and seinfo to look at the way policy is constructed. But it will not be easy to understand. The goal is to let every confined process to have all the access they need to get their job done, and no more. unconfined domains should be allowed to do everything they could do without SELinux installed. (unconfined_t, initrc_t, inetd_t) ps -eZ Will show you the security context of all processes running on your system. |