1460611 – Binding and connecting to a DCCP socket raises SELinux denials

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1460611 - Binding and connecting to a DCCP socket raises SELinux denials

Summary: Binding and connecting to a DCCP socket raises SELinux denials

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.9
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-06-12 08:11 UTC by Milos Malik
Modified:	2017-10-02 13:26 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-10-02 13:26:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Milos Malik 2017-06-12 08:11:31 UTC

+++ This bug was initially created as a clone of Bug #704573 +++

Description of problem:
* dccp_socket class is defined in selinux-policy, but not even unconfined_t is allowed to use DCCP sockets

Version-Release number of selected component (if applicable):
RHEL-6.9
gstreamer-0.10.29-1.el6.x86_64
gstreamer-plugins-bad-free-0.10.19-5.el6_8.x86_64
gstreamer-plugins-base-0.10.29-2.el6.x86_64
gstreamer-plugins-good-0.10.23-4.el6_8.x86_64
gstreamer-tools-0.10.29-1.el6.x86_64
selinux-policy-3.7.19-307.el6.noarch
selinux-policy-targeted-3.7.19-307.el6.noarch

Steps to Reproduce:
# gst-launch videotestsrc ! theoraenc ! dccpserversink
Setting pipeline to PAUSED ...
ERROR: Pipeline doesn't want to pause.
ERROR: from element /GstPipeline:pipeline0/GstDCCPServerSink:dccpserversink0: Could not open resource for reading.
Additional debug info:
gstdccp.c(173): gst_dccp_create_new_socket (): /GstPipeline:pipeline0/GstDCCPServerSink:dccpserversink0:
system error: Permission denied
Setting pipeline to NULL ...
Freeing pipeline ...
#

Actual results (enforcing mode):
----
type=SYSCALL msg=audit(06/12/2017 04:08:14.466:211) : arch=x86_64 syscall=socket success=no exit=-13(Permission denied) a0=inet a1=SOCK_DCCP a2=dccp a3=0x7ffc623e2900 items=0 ppid=1928 pid=2080 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2017 04:08:14.466:211) : avc:  denied  { create } for  pid=2080 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----

Expected results:
* no SELinux denials

Comment 1 Milos Malik 2017-06-12 08:13:52 UTC

Actual results (permissive mode):
----
type=SYSCALL msg=audit(06/12/2017 04:12:11.955:220) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x3 a1=SOL_SOCKET a2=SO_REUSEADDR a3=0x7ffce414c67c items=0 ppid=1928 pid=2089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2017 04:12:11.955:220) : avc:  denied  { setopt } for  pid=2089 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----
type=SYSCALL msg=audit(06/12/2017 04:12:11.867:219) : arch=x86_64 syscall=socket success=yes exit=3 a0=inet a1=SOCK_DCCP a2=dccp a3=0x7ffce414c5a0 items=0 ppid=1928 pid=2089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2017 04:12:11.867:219) : avc:  denied  { create } for  pid=2089 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----
type=SYSCALL msg=audit(06/12/2017 04:12:11.955:221) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x3 a1=0x7ffce414c670 a2=0x10 a3=0x7ffce414c67c items=0 ppid=1928 pid=2089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2017 04:12:11.955:221) : avc:  denied  { node_bind } for  pid=2089 comm=gst-launch-0.10 src=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=dccp_socket 
type=AVC msg=audit(06/12/2017 04:12:11.955:221) : avc:  denied  { name_bind } for  pid=2089 comm=gst-launch-0.10 src=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket 
type=AVC msg=audit(06/12/2017 04:12:11.955:221) : avc:  denied  { bind } for  pid=2089 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----
type=SYSCALL msg=audit(06/12/2017 04:12:11.956:222) : arch=x86_64 syscall=getsockopt success=yes exit=0 a0=0x3 a1=SOL_DCCP a2=0xc a3=0x7ffce414c680 items=0 ppid=1928 pid=2089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2017 04:12:11.956:222) : avc:  denied  { getopt } for  pid=2089 comm=gst-launch-0.10 lport=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----
type=SYSCALL msg=audit(06/12/2017 04:12:11.956:223) : arch=x86_64 syscall=listen success=yes exit=0 a0=0x3 a1=0x5 a2=0x2 a3=0x7ffce414c66c items=0 ppid=1928 pid=2089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2017 04:12:11.956:223) : avc:  denied  { listen } for  pid=2089 comm=gst-launch-0.10 lport=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----
type=SYSCALL msg=audit(06/12/2017 04:12:11.956:224) : arch=x86_64 syscall=accept success=no exit=-4(Interrupted system call) a0=0x3 a1=0x7ffce414c660 a2=0x7ffce414c65c a3=0x7ffce414c66c items=0 ppid=1928 pid=2089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2017 04:12:11.956:224) : avc:  denied  { accept } for  pid=2089 comm=gst-launch-0.10 lport=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket
----

Comment 2 Milos Malik 2017-06-12 08:20:00 UTC

# cat example.c 
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <netinet/in.h>

void main (void) {
  int sockfd;

  if ((sockfd = socket(AF_INET, SOCK_DCCP, IPPROTO_DCCP)) < 0) {
    perror("socket");
    exit(1);
  }
}

# gcc -o example example.c 
# ./example 
socket: Permission denied
# ausearch -m avc -i
----
type=SYSCALL msg=audit(06/12/2017 04:15:18.404:226) : arch=x86_64 syscall=socket success=no exit=-13(Permission denied) a0=inet a1=SOCK_DCCP a2=dccp a3=0x7ffdaa9ed660 items=0 ppid=1928 pid=3683 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=example exe=/root/example subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2017 04:15:18.404:226) : avc:  denied  { create } for  pid=3683 comm=example scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----
# sesearch -c dccp_socket -A -C --dontaudit

#

Comment 3 Lukas Vrabec 2017-10-02 13:26:49 UTC

Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017.  During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:
http://redhat.com/rhel/lifecycle

This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification.  Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com

Note You need to log in before you can comment on or make changes to this bug.