1103439 – open_socket / permission dennied warnings

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1103439 - open_socket / permission dennied warnings

Summary: open_socket / permission dennied warnings

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.5
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Simon Sekidde
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1199473
TreeView+	depends on / blocked

Reported:	2014-05-31 15:10 UTC by Jorge Fábregas
Modified:	2019-12-16 04:29 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-3.7.19-265.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1199473 (view as bug list)
Environment:
Last Closed:	2015-07-22 07:07:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Screencast of Issue (2.40 MB, application/octet-stream) 2014-10-13 16:33 UTC, Jorge Fábregas	no flags	Details
named AVCs (133.99 KB, text/plain) 2014-10-14 11:04 UTC, Tomáš Hozza	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1312972	0	low	CLOSED	BIND - open_socket / permission denied warnings	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHBA-2015:1375	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2015-07-20 18:07:47 UTC

Internal Links: 1312972

Description Jorge Fábregas 2014-05-31 15:10:07 UTC

Description of problem: This a new system with only named running on it (just as a recursive nameserver) serving thousands of requests per minute.  We have lots of warnings like this:

May 31 10:45:05 lindns named[1720]: dispatch 0x7ff7e40eb150: open_socket(0.0.0.0#2605) -> permission denied: continuing
.
.
.

The provided /etc/named.conf was used with just a slight modification to enable more logging.  The rest of the parameters are the defaults.

I found a workaround on the net:

use-v4-udp-ports { range 32768 65535; };

...which I haven't implemented because I  would like to know what's goin on first & also don't want to restrict the number of ephemeral ports available to named.  I have no UDP-based service running on the machine and wondered why are we getting these "permission denied" warnnings?  Is it being denied by the kernel? Based on some criteria? (e.g. services listed in /etc/services?)? Is there a solution for this other than the above "use-v4-udp-ports" option?

Thanks.



Version-Release number of selected component (if applicable):
bind-9.8.2-0.23.rc1.el6_5.1.x86_64

Comment 2 Jorge Fábregas 2014-06-06 23:21:13 UTC

SElinux is the culprit.  I found the solution on the bind-users' mailing list (a post by Chuck Anderson) here:

https://www.mail-archive.com/bind-users@lists.isc.org/msg18593.html

The solution is to specify:

 avoid-v4-udp-ports { 1935; 2605; 4321; 6514; range 8610 8614; };
 avoid-v6-udp-ports { 1935; 2605; 4321; 6514; range 8610 8614; };

...in /etc/named.conf.

The reason the SElinux AVCs weren't being logged was because these were "silent denials" (controlled by dontaudit rules).  In order to see the actual denials you must run:

# semodule -DB

Considering the SELinux is enabled by default, it would be great if the default/stock named.conf already had the above options; it would save a lot of time for anyone trying to troubleshoot this (there are no clues on the system due to the silent denials).

Thanks.

Comment 3 Daniel Walsh 2014-06-09 11:38:51 UTC

We can open up more ports or allow udp to listen on all ports. The goal is to prevent a hacked named from using other well known ports.

Comment 4 Tomáš Hozza 2014-10-01 13:40:52 UTC

Dan, do you intend to adjust the policy to let BIND to use those ports?

Comment 5 Rob Foehl 2014-10-11 07:21:58 UTC

Please consider updating the policy to allow BIND to use any port it wants -- there's not much to be gained by doing otherwise, especially when it's already allowed to originate traffic from a far more recognizable reserved port.

I have a dual-stacked resolver on Fedora 20 that's been banging into denials for these ports on both protocols for a while now:

1935 2605 4321 4444 5546 8554 8610 8611 8612 8613 8614

That list may be of use for anyone wishing to try the avoid-*-ports method for the time being.

-Rob

Comment 6 Daniel Walsh 2014-10-12 11:25:03 UTC

Fedora policy has 

corenet_udp_bind_all_unreserved_ports(named_t)

Which allows named to bind to any UDP port > 1024.

Comment 7 Tomáš Hozza 2014-10-13 10:54:30 UTC

(In reply to Jorge Fábregas from comment #0)
> Description of problem: This a new system with only named running on it
> (just as a recursive nameserver) serving thousands of requests per minute. 
> We have lots of warnings like this:
> 
> May 31 10:45:05 lindns named[1720]: dispatch 0x7ff7e40eb150:
> open_socket(0.0.0.0#2605) -> permission denied: continuing

To be honest, I'm not able to reproduce this on 6.5 with SELinux in Enforcing mode and named configured with:

use-v4-udp-ports { 1935; 2605; 4321; 6514; range 8610 8614; };
use-v6-udp-ports { 1935; 2605; 4321; 6514; range 8610 8614; };

From wireshark I can see that named used e.g. UDP port 2605, 4321 and others successfully.


Also based on Dan's comment #6, the policy should not cause issues like this.

Comment 8 Jorge Fábregas 2014-10-13 12:24:00 UTC

Tomas,

You're not going to be able to reproduce it if you specify those two lines in named.conf (since you're actually telling bind NOT to use those ports) & therefore you won't see the "dispatch/open socket/permission denied" messages in syslog (or the corresponding AVCs in audit.log if you disable the silent denials from SElinux).

In a nutshell, please either:

- fix the selinux policy for RHEL6 (as it is in the latest Fedora)

or

- add thoe two directives to the default named.conf

Thanks.

-- 
Jorge

Comment 9 Tomáš Hozza 2014-10-13 13:09:30 UTC

(In reply to Jorge Fábregas from comment #8)
> Tomas,
> 
> You're not going to be able to reproduce it if you specify those two lines
> in named.conf (since you're actually telling bind NOT to use those ports) &
> therefore you won't see the "dispatch/open socket/permission denied"
> messages in syslog (or the corresponding AVCs in audit.log if you disable
> the silent denials from SElinux).

No, I configured BIND to use *ONLY* those ports. Please check the comment #7 once again.

We are not going to do any changes until reproduced and proved there is really some issue in the policy or BIND configuration.

Comment 10 Jorge Fábregas 2014-10-13 13:45:43 UTC

My mistake Tomas.  I see your point.  Well if you don't see the AVCs (after turning on silent denials) I'll assume the selinux policy has been updated to include those ports for bind?  (I don't have access to the box anymore).

Comment 11 Tomáš Hozza 2014-10-13 15:13:36 UTC

(In reply to Jorge Fábregas from comment #10)
> My mistake Tomas.  I see your point.  Well if you don't see the AVCs (after
> turning on silent denials) I'll assume the selinux policy has been updated
> to include those ports for bind?  (I don't have access to the box anymore).

Yes I did. There are no messages about named WRT socket binding.

The policy doesn't seem to changed. Maybe you had some custom policy installed?

I'm closing this Bug as NOTABUG as it obviously works on RHEL-6.5 with SELinux in Enforcing mode.

Comment 12 Jorge Fábregas 2014-10-13 15:34:19 UTC

Tomas,

If you would, at least, give me a break & allow me to reply back before closing the bug...

I fired up new VM (RHEL 6.5) and the issue is TOTALLY there.  I never said that I modified my selinux policy. In fact, I don't know which RHEL 6.5 you're running.  I'm not the only in this bug recognizing the issue is still there.

I'm uploading screencast in 5 minutes.

-- 
Jorge

Comment 13 Jorge Fábregas 2014-10-13 16:33:54 UTC

Created attachment 946486 [details]
Screencast of Issue

I hope everything is clear now with the screencast.  This is a plain-vanilla system with JUST the updates as of today.

Comment 14 Tomáš Hozza 2014-10-14 11:03:43 UTC

OK, I can see that now.

I was testing it on RHEL-6.5 Server. However I ran named in the foreground, not using service command. It was running with a different SELinux label, I think that's why it worked.

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 named 1319 0.0  1.3 160548 13348 pts/0 Sl+ 12:45   0:00 named -u named -fg

started by 'service':
unconfined_u:system_r:named_t:s0 named    1247  0.0  0.6 160548 12112 ?        Ssl  11:21   0:00 /usr/sbin/named -u named


Now I can see the AVCs...

I'm really reluctant to modifying the default named configuration, especially because it will not make any change for users that are running named with custom configuration on top of RHEL-6.

I'm moving this bug to selinux-policy to consider adjusting it (as it is already done in Fedora).

Comment 15 Tomáš Hozza 2014-10-14 11:04:20 UTC

Created attachment 946832 [details]
named AVCs

Comment 17 Bojan Smojver 2014-12-04 19:10:38 UTC

Shouldn't this be related to ip_local_port_range (default 32768:61000)? In other words:

avoid-v4-udp-ports { range 0 32767; range 61001 65535; };

Comment 26 errata-xmlrpc 2015-07-22 07:07:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1375.html

Note You need to log in before you can comment on or make changes to this bug.