1113138 – Not all of radiusd ports are in selinux policy

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1113138 - Not all of radiusd ports are in selinux policy

Summary: Not all of radiusd ports are in selinux policy

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-25 13:40 UTC by David Spurek
Modified:	2015-11-02 14:04 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.13.1-21.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:40:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:0458	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2015-03-05 15:17:00 UTC

Description David Spurek 2014-06-25 13:40:16 UTC

Description of problem:
Not all of radiusd ports are in selinux policy. Default configuration of freeradius contains ports 1812,1813,1814,18120,18121 but some of them aren't in policy.

Used ports when service is running:

[root@rhel7 ~]# netstat -putna | grep radius
udp        0      0 127.0.0.1:18120         0.0.0.0:*                           29050/radiusd       
udp        0      0 0.0.0.0:1812            0.0.0.0:*                           29050/radiusd       
udp        0      0 0.0.0.0:1813            0.0.0.0:*                           29050/radiusd       
udp        0      0 0.0.0.0:1814            0.0.0.0:*                           29050/radiusd

Some of them are unreserved:
# seinfo --portcon=1812
	portcon udp 1812 system_u:object_r:radius_port_t:s0
	portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
	portcon udp 1024-32767 system_u:object_r:unreserved_port_t:s0
# seinfo --portcon=1813
 	portcon udp 1813 system_u:object_r:radacct_port_t:s0
 	portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
 	portcon udp 1024-32767 system_u:object_r:unreserved_port_t:s0
# seinfo --portcon=1814
 	portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
 	portcon udp 1024-32767 system_u:object_r:unreserved_port_t:s0
# seinfo --portcon=18120
 	portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
 	portcon udp 1024-32767 system_u:object_r:unreserved_port_t:s0
# seinfo --portcon=18121
 	portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
 	portcon udp 1024-32767 system_u:object_r:unreserved_port_t:s0


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-153.el7

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
I see other ports in default radiusd configuration files but some of them are unreserved too (but they probably aren't radiusd ports).

[root@rhel7 ~]# grep -R 'port =' /etc/raddb/ *
/etc/raddb/mods-available/redis:	port = 6379
/etc/raddb/mods-available/sql:#	port = 3306
/etc/raddb/mods-available/ldap:#	port = 389
/etc/raddb/proxy.conf:	port = 1812
/etc/raddb/sites-available/README:			port = 2000
/etc/raddb/sites-available/coa:	port = 3799
/etc/raddb/sites-available/default:	#    * You should probably set "port = 0".
/etc/raddb/sites-available/default:	port = 0
/etc/raddb/sites-available/default:	port = 0
/etc/raddb/sites-available/dhcp:	port = 6700
/etc/raddb/sites-available/dhcp.relay:		port = 67
/etc/raddb/sites-available/example:		port = 1821
/etc/raddb/sites-available/inner-tunnel:       port = 18120
/etc/raddb/sites-available/originate-coa:	port = 3799
/etc/raddb/sites-available/robust-proxy-accounting:	port = 1813
/etc/raddb/sites-available/robust-proxy-accounting:	port = 1813
/etc/raddb/sites-available/status:		port = 18121
/etc/raddb/sites-available/tls:	port = 2083
/etc/raddb/sites-available/tls:	port = 2083
/etc/raddb/sites-available/vmps:		port = 1589
/etc/raddb/sites-enabled/default:	#    * You should probably set "port = 0".
/etc/raddb/sites-enabled/default:	port = 0
/etc/raddb/sites-enabled/default:	port = 0
/etc/raddb/sites-enabled/inner-tunnel:       port = 18120
/etc/raddb/templates.conf:		port = 1812

Comment 1 David Spurek 2014-06-25 14:02:25 UTC

radiusd -X shows its usage for these ports:

Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814

Comment 2 David Spurek 2014-06-25 14:11:46 UTC

I see that port 18121 is used for status-server (described in /etc/raddb/sites-available/status file). Only Status-Server packets are processed in that port.

Comment 3 David Spurek 2014-06-30 14:45:12 UTC

selinux-policy should allow binding radiusd to tcp ports 1812 and and 1813.

cat /etc/services | grep radius
...
radius          1812/tcp                        # Radius
radius          1812/udp                        # Radius
radius-acct     1813/tcp        radacct         # Radius Accounting
radius-acct     1813/udp        radacct         # Radius Accounting

I can add 'proto = tcp' to into listen section in /etc/raddb/sites-enabled/default
Start of radiusd service then fails because selinux doesn't allow name_bind to tcp port.

type=SYSCALL msg=audit(1404138922.748:304): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=7fffebd03520 a2=10 a3=7f2c0a0052e0 items=0 ppid=5964 pid=5967 auid=4294967295 uid=0 gid=95 euid=0 suid=0 fsuid=0 egid=95 sgid=95 fsgid=95 tty=(none) ses=4294967295 comm="radiusd" exe="/usr/sbin/radiusd" subj=system_u:system_r:radiusd_t:s0 key=(null)
type=AVC msg=audit(1404138922.748:304): avc:  denied  { name_bind } for  pid=5967 comm="radiusd" src=1812 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

Comment 5 Stefan Paetow 2014-08-28 13:50:46 UTC

You should also include port 2083 on TCP. TLS support in FreeRADIUS (used with RADSEC) uses TCP:2083. 

:-)

Comment 6 Miroslav Grepl 2014-09-18 15:09:02 UTC

commit 2ce1bd7a87b91c53e47098f426a8d7ff04ff975a
Author: Miroslav Grepl <mgrepl>
Date:   Thu Sep 18 17:08:29 2014 +0200

    Add support also for tcp radius ports.

Comment 12 Miroslav Grepl 2015-01-07 14:00:27 UTC

So we need to add types also for tcp/2083 and tcp/18120, right?

Comment 13 Stefan Paetow 2015-01-07 14:20:26 UTC

tcp/2083 yes, tcp/18120 no (you don't have a udp/18120 in this policy, do you?) 
AFAIK, port 18120 is open on UDP to localhost only.

Comment 14 Miroslav Grepl 2015-01-07 15:18:44 UTC

I see

type=AVC msg=audit(12/12/2014 09:38:40.941:6592) : avc:  denied  { name_bind } for  pid=35091 comm=radiusd src=18120 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

Comment 15 Stefan Paetow 2015-01-07 15:32:14 UTC

Ahh, in that case... yes.

Comment 16 Miroslav Grepl 2015-01-09 11:46:56 UTC

commit 40eef7dcea8bbbfde3d1334348d2852dcb7cad1b
Author: Miroslav Grepl <mgrepl>
Date:   Fri Jan 9 12:41:20 2015 +0100

    Update radius port definition to have also tcp/18121.

commit bab3360972b40d2e4053856dffdba3e59ed73e07
Author: Miroslav Grepl <mgrepl>
Date:   Fri Jan 9 12:32:29 2015 +0100

    Add 18120/tcp as radius port.

Comment 18 Milos Malik 2015-01-16 15:06:27 UTC

# seinfo --portcon=2083
	portcon tcp 2083 system_u:object_r:radsec_port_t:s0
	portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
	portcon udp 1024-32767 system_u:object_r:unreserved_port_t:s0
# sesearch -s radiusd_t -t radsec_port_t -A -C
Found 4 semantic av rules:
   allow radiusd_t port_type : tcp_socket { recv_msg send_msg } ; 
   allow radiusd_t port_type : udp_socket { recv_msg send_msg } ; 
ET allow nsswitch_domain port_type : tcp_socket { recv_msg send_msg } ; [ nis_enabled ]
ET allow nsswitch_domain port_type : udp_socket { recv_msg send_msg } ; [ nis_enabled ]

# 

The policy defines radsec_port_t, but does not allow name_bind or name_connect to it. That's interesting.

Comment 19 Miroslav Grepl 2015-01-20 18:52:10 UTC

commit f98413d1a54c821d97b319a69378a2df37bab510
Author: Miroslav Grepl <mgrepl>
Date:   Tue Jan 20 19:49:44 2015 +0100

    Allow radius to bind radsec ports.

Comment 23 Miroslav Grepl 2015-01-28 07:23:06 UTC

commit 4bda4dd357a4eaa2770fd09edad69fc5f872eb11
Author: Miroslav Grepl <mgrepl>
Date:   Wed Jan 28 08:21:31 2015 +0100

    Allow radiusd to connect to radsec ports.

Comment 29 errata-xmlrpc 2015-03-05 10:40:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html

Note You need to log in before you can comment on or make changes to this bug.