RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1222903 - [SELinux] AVC denials may appear when kadmind starts
Summary: [SELinux] AVC denials may appear when kadmind starts
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5
Version: 7.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Robbie Harwood
QA Contact: Patrik Kis
URL:
Whiteboard:
Depends On:
Blocks: 1203889
TreeView+ depends on / blocked
 
Reported: 2015-05-19 12:15 UTC by Patrik Kis
Modified: 2015-11-19 05:13 UTC (History)
4 users (show)

Fixed In Version: krb5-1.13.2-3.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1227542 (view as bug list)
Environment:
Last Closed: 2015-11-19 05:13:44 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Prototype patch from krb5 1.13.3 development which fixes the unneeded |htons()| ... (412 bytes, patch)
2015-05-22 09:57 UTC, Roland Mainz
pkis: review+
Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2154 0 normal SHIPPED_LIVE Moderate: krb5 security, bug fix, and enhancement update 2015-11-19 08:16:22 UTC

Description Patrik Kis 2015-05-19 12:15:04 UTC
Description of problem:
After krb5 rebase to krb5-1.13.2-1.el7 when kadmind starts AVC denials appear from time to time:

type=SYSCALL msg=audit(05/19/2015 12:19:54.682:663) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0xe a1=0x7fff04eac580 a2=0x1c a3=0x7fff04eac510 items=0 ppid=10156 pid=10159 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=22 comm=kadmind exe=/usr/sbin/kadmind subj=system_u:system_r:kadmind_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/19/2015 12:19:54.682:663) : avc:  denied  { name_bind } for  pid=10159 comm=kadmind src=61443 scontext=system_u:system_r:kadmind_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 


Version-Release number of selected component (if applicable):
krb5-1.13.2-1.el7
but krb5-1.13.1-1.el7 too

How reproducible:
AVCs appears in about every 2nd start

Steps to Reproduce:
1. Just start kadmind and check AVCs

strace revealed some details about the bids that causes the AVCs:

# date
Tue May 19 13:49:08 CEST 2015
# strace runcon -u system_u -r system_r -t kadmind_t /usr/sbin/kadmind |& grep -e socket -e bind
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 5
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 5
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 5
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 9
bind(9, {sa_family=AF_INET, sin_port=htons(464), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 10
bind(10, {sa_family=AF_INET6, sin6_port=htons(464), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 11
socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 11
bind(11, {sa_family=AF_INET6, sin6_port=htons(464), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 12
bind(12, {sa_family=AF_INET, sin_port=htons(464), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 13
bind(13, {sa_family=AF_INET, sin_port=htons(749), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
bind(13, {sa_family=AF_INET, sin_port=htons(30722), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(13, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EINVAL (Invalid argument)
socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 14
bind(14, {sa_family=AF_INET6, sin6_port=htons(749), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
bind(14, {sa_family=AF_INET6, sin6_port=htons(30978), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EINVAL (Invalid argument)
#
# ausearch -i -m avc -ts 13:49:08
----
type=SYSCALL msg=audit(05/19/2015 13:49:11.387:762) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0xd a1=0x7fff266ecc10 a2=0x10 a3=0x7fff266ec8b0 items=0 ppid=876 pid=880 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=22 comm=kadmind exe=/usr/sbin/kadmind subj=system_u:system_r:kadmind_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/19/2015 13:49:11.387:762) : avc:  denied  { name_bind } for  pid=880 comm=kadmind src=30722 scontext=system_u:system_r:kadmind_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 
----
type=SYSCALL msg=audit(05/19/2015 13:49:11.388:763) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0xe a1=0x7fff266ecc10 a2=0x1c a3=0x7fff266ecba0 items=0 ppid=876 pid=880 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=22 comm=kadmind exe=/usr/sbin/kadmind subj=system_u:system_r:kadmind_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/19/2015 13:49:11.388:763) : avc:  denied  { name_bind } for  pid=880 comm=kadmind src=30978 scontext=system_u:system_r:kadmind_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 
#

In this case the AVCs were caused by bind attempt to ports: 30722 and 30978
Which fall into "unreserved_port_t":
# semanage port -l |grep unreserved_port_t
unreserved_port_t              tcp      1024-32767, 61001-65535
unreserved_port_t              udp      1024-32767, 61001-65535

It looks like kadmind somehow rotate the port numbers, what explains why there is AVC denial only from time to time:

# for i in `seq 0 10`; do killall kadmind; strace runcon -u system_u -r system_r -t kadmind_t /usr/sbin/kadmind |& grep bind |grep -ve 'htons(464)' -e 'htons(749)' -e 'htons(0)';sleep 1; done
bind(13, {sa_family=AF_INET, sin_port=htons(55042), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EINVAL (Invalid argument)
bind(14, {sa_family=AF_INET6, sin6_port=htons(55298), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EINVAL (Invalid argument)
bind(13, {sa_family=AF_INET, sin_port=htons(58370), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EINVAL (Invalid argument)
bind(14, {sa_family=AF_INET6, sin6_port=htons(58626), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EINVAL (Invalid argument)
bind(13, {sa_family=AF_INET, sin_port=htons(62722), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(62978), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
bind(13, {sa_family=AF_INET, sin_port=htons(515), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(771), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
bind(13, {sa_family=AF_INET, sin_port=htons(3843), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(4099), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
bind(13, {sa_family=AF_INET, sin_port=htons(7171), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(7427), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
bind(13, {sa_family=AF_INET, sin_port=htons(10499), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(10755), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
bind(13, {sa_family=AF_INET, sin_port=htons(14851), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(15107), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
bind(13, {sa_family=AF_INET, sin_port=htons(18179), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(18435), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
bind(13, {sa_family=AF_INET, sin_port=htons(21507), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(21763), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
bind(13, {sa_family=AF_INET, sin_port=htons(24835), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(25091), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)


The previous version where the AVCs have newer appeared (krb5-1.12.2-14.el7), tries a similar bind but with narrower range of ports:

# rpm -q krb5-libs
krb5-libs-1.12.2-14.el7.x86_64
# for i in `seq 0 10`; do killall kadmind; strace runcon -u system_u -r system_r -t kadmind_t /usr/sbin/kadmind |& grep bind |grep -ve 'htons(464)' -e 'htons(749)' -e 'htons(0)';sleep 1; done
bind(10, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
bind(14, {sa_family=AF_INET, sin_port=htons(1005), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(15, {sa_family=AF_INET, sin_port=htons(1006), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(10, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
bind(14, {sa_family=AF_INET, sin_port=htons(1022), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(15, {sa_family=AF_INET, sin_port=htons(1023), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(10, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
bind(14, {sa_family=AF_INET, sin_port=htons(611), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(15, {sa_family=AF_INET, sin_port=htons(612), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(10, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
bind(14, {sa_family=AF_INET, sin_port=htons(624), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(15, {sa_family=AF_INET, sin_port=htons(625), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
 ... snip

for which it looks like there is a dontaudit selinux policy, therefore no AVCs appear:

# sesearch -D -C -s kadmind_t -t kerberos_password_port_t -c tcp_socket |grep name_bind 
   dontaudit kadmind_t reserved_port_type : tcp_socket name_bind ; 
DT dontaudit kadmind_t defined_port_type : tcp_socket name_bind ; [ nis_enabled ]
DT dontaudit kadmind_t port_type : tcp_socket name_bind ; [ nis_enabled ]


The question is what are these bind attempts (I guess there are good reason for them) and why the range of port changed. If the change is expected I think the bug sould be forwarded to selinux-policy to add a policy for this case. But I think, first it should be checked if the change is not a regression in krb5 component.

Comment 3 Roland Mainz 2015-05-19 13:07:16 UTC
Mine... all Mine...
... taking bug myself...

... question:
pkis: Shouldn't this be fixed in the SELinux config somehow ?

Comment 4 Patrik Kis 2015-05-19 14:13:13 UTC
(In reply to Roland Mainz from comment #3)
> Mine... all Mine...
> ... taking bug myself...
> 
> ... question:
> pkis: Shouldn't this be fixed in the SELinux config somehow ?

If the change in krb5 was intentional and these bind attempts are needed, then it should be fixed in selinux-policy.

Comment 5 Roland Mainz 2015-05-19 19:41:21 UTC
(In reply to Patrik Kis from comment #4)
> (In reply to Roland Mainz from comment #3)
> > Mine... all Mine...
> > ... taking bug myself...
> > 
> > ... question:
> > pkis: Shouldn't this be fixed in the SELinux config somehow ?
> 
> If the change in krb5 was intentional and these bind attempts are needed,
> then it should be fixed in selinux-policy.

OK... I've discussed the issue with upstream:
There are two things going on here:
1. kadmind needs to create an RPC listener socket, but on a fixed port, which is not the way the RPC library usually thinks.
Apparently |svctcp_create()| unconditionally calls |bindresvport_sa()|, which just fails with |EINVAL| because the socket is already bound.  This is... erm... unelegant... but harmless except for triggering SELinux's security checks.

2. The krb5 1.13 release added a bug in |bindresvport_sa()| which caused the wrong port numbers to be tried.
That's why the range of ports tried changes from krb5 1.12 to krb5 1.13.

Upstream will try to tackle [2] above, but [1] is definitely in SELinux's territory.

Comment 6 Patrik Kis 2015-05-22 08:18:48 UTC
(In reply to Roland Mainz from comment #5)
> (In reply to Patrik Kis from comment #4)
> > (In reply to Roland Mainz from comment #3)
> > > Mine... all Mine...
> > > ... taking bug myself...
> > > 
> > > ... question:
> > > pkis: Shouldn't this be fixed in the SELinux config somehow ?
> > 
> > If the change in krb5 was intentional and these bind attempts are needed,
> > then it should be fixed in selinux-policy.
> 
> OK... I've discussed the issue with upstream:
> There are two things going on here:
> 1. kadmind needs to create an RPC listener socket, but on a fixed port,
> which is not the way the RPC library usually thinks.
> Apparently |svctcp_create()| unconditionally calls |bindresvport_sa()|,
> which just fails with |EINVAL| because the socket is already bound.  This
> is... erm... unelegant... but harmless except for triggering SELinux's
> security checks.
> 
> 2. The krb5 1.13 release added a bug in |bindresvport_sa()| which caused the
> wrong port numbers to be tried.
> That's why the range of ports tried changes from krb5 1.12 to krb5 1.13.
> 
> Upstream will try to tackle [2] above, but [1] is definitely in SELinux's
> territory.

If I understand correctly the fix in krb5 will fix it's bug and the attempted ports will move back to the original range (i.e. 1-511 or similar). If this is the case we are ok, because this is already addressed in the current selinux-policy. If the ports range will be different, please let me know, we can discuss it with selinux devels.

One more question, is there an upstream ticket for this issue? Could you link it here?

Comment 7 Roland Mainz 2015-05-22 09:57:26 UTC
Created attachment 1028666 [details]
Prototype patch from krb5 1.13.3 development which fixes the unneeded |htons()| ...

Comment 8 Patrik Kis 2015-05-22 14:30:05 UTC
(In reply to Roland Mainz from comment #7)
> Created attachment 1028666 [details]
> Prototype patch from krb5 1.13.3 development which fixes the unneeded
> |htons()| ...

Confirm the patch; according to my tests it fixes the issue. Thanks.

Comment 10 Roland Mainz 2015-06-01 12:00:55 UTC
pkis: Thanks for the review&&testing.

Fix added in krb5-1.13.2-3.el7 ...

... marking bug as MODIFIED

Comment 15 errata-xmlrpc 2015-11-19 05:13:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2154.html


Note You need to log in before you can comment on or make changes to this bug.