Red Hat Bugzilla – Bug 213062
[labeled networking] NetLabel does not protect against setsockopt()
Last modified: 2007-11-30 17:07:36 EST
Description of problem:
Currently SELinux policies do not prevent most applications from calling
setsockopt() which puts the NetLabel security attributes at risk from tampering
by unprivileged applications. A patch has been posted to the netdev and SELinux
mailing lists which addresses this problem by preventing applications from
removing NetLabel security attributes from a socket as well as requiring the
CAP_NET_RAW capability to set a CIPSO option on a socket. The patch can be
I am also attaching a simple test program which demonstrates the problem.
Version-Release number of selected component (if applicable):
All current RHEL5 kernels with NetLabel enabled.
Steps to Reproduce:
This directly effects the LSPP efforts of RH, HP, and IBM.
Created attachment 139738 [details]
Simple test program
patch posted for rhel5 kernel inclusion Nov 10
QE ack for RHEL5.
A package has been built which should help the problem described in
this bug report. This report is therefore being closed with a resolution
of CURRENTRELEASE. You may reopen this bug report if the solution does
not work for you.