From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6 Description of problem: The Java app I'm using can't use TCP sockets when SELinux is enabled. It happens regardless of the mode (permissive or enforcing) or policy (strict or targeted). No message appears in syslog. I was told on fedora-selinux mailing list that it's possibly a bug in the kernel and I should report it here. Simply rebooting the system with SELinux disabled makes the app work, enabling SELinux makes the problem occur again. The bug seems to be triggered by very specific software configuration: the app I'm using and specific JRE versions (with some JREs the app is running fine). Unfortunately, the app is not free, so if you need more information you have to ask me. I run the app using strace with SELinux disabled and enabled. The relevant part of strace log is attached. Version-Release number of selected component (if applicable): kernel-2.6.12-1.1398_FC4 and kernel-2.6.11-1.1398_FC4 How reproducible: Always Steps to Reproduce: 1) Run the app 2) Enter IP address of the server Actual Results: Error message "cannot assign requested address". See strace log for more details. Expected Results: The app should connect to server using TCP. See strace log for more details. Additional info:
Created attachment 117123 [details] strace log from both working and not working configuration
selinux_socket_connect (security/selinux/hooks.c) checks the addrlen prior to extracting the port number for the name_connect permission check. In the INET6 case, it compares it with sizeof(struct sockaddr_in6) and returns -EINVAL if it doesn't match. Per the strace log, the passed in size to connect(2) was only 24, but sizeof(struct sockaddr_in6) on x86 is 28. Is passing in a shorter addrlen legal?
Are you able to provide the source to the section of code being traced here?
Ah, I see. tcp_v6_connect only requires addrlen to be >= SIN6_LEN_RFC2133, which is 24. tcp_v4_connect requires addrlen to be >= sizeof(sockaddr_in). selinux_socket_connect needs to be fixed accordingly.
(In reply to comment #3) > Are you able to provide the source to the section of code being traced here? I'll try, but it'll take a few days.
I don't think source is needed; the bug lies in selinux_socket_connect imposing greater restrictions on addrlen than the underlying ipv6 code does. Also, the check in the ipv4 case should be weakened to not require strict equality; we should just be consistent with the underlying ipv4 code there.
Created attachment 117228 [details] Fix addrlen checks in selinux_socket_connect
(In reply to comment #7) > Created an attachment (id=117228) [edit] > Fix addrlen checks in selinux_socket_connect > Looks good to me.
Ok, submitted to Andrew Morton and lkml.
(In reply to comment #7) > Created an attachment (id=117228) [edit] > Fix addrlen checks in selinux_socket_connect It works. Thanks.
fixed in cvs.
*** Bug 163006 has been marked as a duplicate of this bug. ***