Bug 1321787 - SELinux prevents prosody from name_bind to TCP port 5582
Summary: SELinux prevents prosody from name_bind to TCP port 5582
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-29 07:27 UTC by Milos Malik
Modified: 2016-11-04 02:46 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-81.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 02:46:10 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2283 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2016-11-03 13:36:25 UTC

Description Milos Malik 2016-03-29 07:27:21 UTC 
Description of problem:
 * SELinux denials appear when following line in /etc/prosody/prosody.cfg.lua is commented out:
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582

Version-Release number of selected component (if applicable):
prosody-0.9.10-1.el7.x86_64
selinux-policy-3.13.1-67.el7.noarch
selinux-policy-devel-3.13.1-67.el7.noarch
selinux-policy-doc-3.13.1-67.el7.noarch
selinux-policy-minimum-3.13.1-67.el7.noarch
selinux-policy-mls-3.13.1-67.el7.noarch
selinux-policy-sandbox-3.13.1-67.el7.noarch
selinux-policy-targeted-3.13.1-67.el7.noarch

How reproducible:
always

Steps to Reproduce:
# grep admin_telnet /etc/prosody/prosody.cfg.lua 
		"admin_telnet"; -- Opens telnet console interface on localhost port 5582
# setsebool -P nis_enabled off
# service prosody start

Actual results (enforcing mode):
----
type=SOCKADDR msg=audit(03/29/2016 09:16:56.516:196) : saddr=inet host:127.0.0.1 serv:5582 
type=SYSCALL msg=audit(03/29/2016 09:16:56.516:196) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0x7 a1=0x24f8380 a2=0x10 a3=0x5 items=0 ppid=25592 pid=25593 auid=unset uid=prosody gid=prosody euid=prosody suid=prosody fsuid=prosody egid=prosody sgid=prosody fsgid=prosody tty=(none) ses=unset comm=lua exe=/usr/bin/lua subj=system_u:system_r:prosody_t:s0 key=(null) 
type=AVC msg=audit(03/29/2016 09:16:56.516:196) : avc:  denied  { name_bind } for  pid=25593 comm=lua src=5582 scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 
----
type=SOCKADDR msg=audit(03/29/2016 09:16:56.521:197) : saddr=inet6 host:::1 serv:5582 
type=SYSCALL msg=audit(03/29/2016 09:16:56.521:197) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0x7 a1=0x24faa40 a2=0x1c a3=0x6 items=0 ppid=25592 pid=25593 auid=unset uid=prosody gid=prosody euid=prosody suid=prosody fsuid=prosody egid=prosody sgid=prosody fsgid=prosody tty=(none) ses=unset comm=lua exe=/usr/bin/lua subj=system_u:system_r:prosody_t:s0 key=(null) 
type=AVC msg=audit(03/29/2016 09:16:56.521:197) : avc:  denied  { name_bind } for  pid=25593 comm=lua src=5582 scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 
----

Expected results:
 * no AVCs
Comment 1 Milos Malik 2016-03-29 08:19:02 UTC 
Following AVC appeared after switching the prosody_t domain to permissive:
----
type=SOCKADDR msg=audit(03/29/2016 10:17:27.831:517) : saddr=inet host:127.0.0.1 serv:5582 
type=SYSCALL msg=audit(03/29/2016 10:17:27.831:517) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x7 a1=0x23fdc20 a2=0x10 a3=0x5 items=0 ppid=1678 pid=1681 auid=unset uid=prosody gid=prosody euid=prosody suid=prosody fsuid=prosody egid=prosody sgid=prosody fsgid=prosody tty=(none) ses=unset comm=lua exe=/usr/bin/lua subj=system_u:system_r:prosody_t:s0 key=(null) 
type=AVC msg=audit(03/29/2016 10:17:27.831:517) : avc:  denied  { name_bind } for  pid=1681 comm=lua src=5582 scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 
----
Comment 7 errata-xmlrpc 2016-11-04 02:46:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html
Note You need to log in before you can comment on or make changes to this bug.