Bug 164165 - enabling SELinux prevents Java app from using TCP sockets
enabling SELinux prevents Java app from using TCP sockets
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
4
i386 Linux
medium Severity low
: ---
: ---
Assigned To: James Morris
Brian Brock
:
: 163006 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-25 11:37 EDT by Igor Wawrzyniak
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-29 21:52:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
strace log from both working and not working configuration (2.47 KB, text/plain)
2005-07-25 11:39 EDT, Igor Wawrzyniak
no flags Details
Fix addrlen checks in selinux_socket_connect (861 bytes, patch)
2005-07-28 09:33 EDT, Stephen Smalley
no flags Details | Diff

  None (edit)
Description Igor Wawrzyniak 2005-07-25 11:37:17 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6

Description of problem:
The Java app I'm using can't use TCP sockets when SELinux is enabled. It happens regardless of the mode (permissive or enforcing) or policy (strict or targeted). No message appears in syslog. I was told on fedora-selinux mailing list that it's possibly a bug in the kernel and I should report it here. Simply rebooting the system with SELinux disabled makes the app work, enabling SELinux makes the problem occur again.

The bug seems to be triggered by very specific software configuration: the app I'm using and specific JRE versions (with some JREs the app is running fine). Unfortunately, the app is not free, so if you need more information you have to ask me.

I run the app using strace with SELinux disabled and enabled. The relevant part of strace log is attached.

Version-Release number of selected component (if applicable):
kernel-2.6.12-1.1398_FC4 and kernel-2.6.11-1.1398_FC4

How reproducible:
Always

Steps to Reproduce:
1) Run the app
2) Enter IP address of the server


Actual Results:  Error message "cannot assign requested address". See strace log for more details.

Expected Results:  The app should connect to server using TCP. See strace log for more details.

Additional info:
Comment 1 Igor Wawrzyniak 2005-07-25 11:39:04 EDT
Created attachment 117123 [details]
strace log from both working and not working configuration
Comment 2 Stephen Smalley 2005-07-28 08:56:18 EDT
selinux_socket_connect (security/selinux/hooks.c) checks the addrlen prior
to extracting the port number for the name_connect permission check.  In the
INET6 case, it compares it with sizeof(struct sockaddr_in6) and returns -EINVAL
if it doesn't match.  Per the strace log, the passed in size to connect(2) was
only 24, but sizeof(struct sockaddr_in6) on x86 is 28.  Is passing in a shorter
addrlen legal?
Comment 3 James Morris 2005-07-28 09:00:55 EDT
Are you able to provide the source to the section of code being traced here?
Comment 4 Stephen Smalley 2005-07-28 09:05:37 EDT
Ah, I see.  tcp_v6_connect only requires addrlen to be >= SIN6_LEN_RFC2133, which
is 24.  tcp_v4_connect requires addrlen to be >= sizeof(sockaddr_in).

selinux_socket_connect needs to be fixed accordingly.
Comment 5 Igor Wawrzyniak 2005-07-28 09:17:44 EDT
(In reply to comment #3)
> Are you able to provide the source to the section of code being traced here?

I'll try, but it'll take a few days.
Comment 6 Stephen Smalley 2005-07-28 09:23:41 EDT
I don't think source is needed; the bug lies in selinux_socket_connect imposing
greater restrictions on addrlen than the underlying ipv6 code does.  Also, the
check in the ipv4 case should be weakened to not require strict equality; we
should just be consistent with the underlying ipv4 code there.
Comment 7 Stephen Smalley 2005-07-28 09:33:09 EDT
Created attachment 117228 [details]
Fix addrlen checks in selinux_socket_connect
Comment 8 James Morris 2005-07-28 12:23:45 EDT
(In reply to comment #7)
> Created an attachment (id=117228) [edit]
> Fix addrlen checks in selinux_socket_connect
> 

Looks good to me.
Comment 9 Stephen Smalley 2005-07-28 16:20:59 EDT
Ok, submitted to Andrew Morton and lkml.
Comment 10 Igor Wawrzyniak 2005-07-29 04:20:26 EDT
(In reply to comment #7)
> Created an attachment (id=117228) [edit]
> Fix addrlen checks in selinux_socket_connect

It works. Thanks.
Comment 11 Dave Jones 2005-08-03 18:22:21 EDT
fixed in cvs.
Comment 12 Archit Shah 2005-08-25 15:50:23 EDT
*** Bug 163006 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.