2176070 – SELinux is preventing prosody from name_bind access on the udp_socket port

Bug 2176070 - SELinux is preventing prosody from name_bind access on the udp_socket port

Summary: SELinux is preventing prosody from name_bind access on the udp_socket port

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low
Target Milestone:	---
Assignee:	Robert Scheck
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-03-07 09:59 UTC by Nicolas Berrehouc
Modified:	2023-10-06 01:28 UTC (History)
CC List:	11 users (show)
Fixed In Version:	selinux-policy-38.29-1.fc38
Clone Of:
Environment:
Last Closed:	2023-10-03 16:39:42 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1872	0	None	open	Allow prosody read network sysctls	2023-09-14 14:58:04 UTC

Description Nicolas Berrehouc 2023-03-07 09:59:51 UTC

Description of problem:
SEAlert in system logs.
SELinux is preventing prosody from name_bind access on the udp_socket port 32165.

Version-Release number of selected component (if applicable):
prosody-0.12.2-1.fc37.x86_64
selinux-policy-37.19-1.fc37.noarch
selinux-policy-minimum-37.19-1.fc37.noarch
selinux-policy-targeted-37.19-1.fc37.noarch

How reproducible:
Install and start Prosody service.

Steps to Reproduce:
1.Install Prosody
2.Start Prosody
3.Check system logs

Actual results:
SELinux is preventing prosody from name_bind access on the udp_socket port 32165.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.

Do
setsebool -P nis_enabled 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that prosody should be allowed name_bind access on the port 32165 udp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'prosody' --raw | audit2allow -M my-prosody
# semodule -X 300 -i my-prosody.pp


Additional Information:
Source Context                system_u:system_r:prosody_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                port 32165 [ udp_socket ]
Source                        prosody
Source Path                   prosody
Port                          32165
Host                          <REMOVED>
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-37.19-1.fc37.noarch
Local Policy RPM              selinux-policy-targeted-37.19-1.fc37.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <REMOVED>
Platform                      Linux <REMOVED> 6.1.14-200.fc37.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Sun Feb 26 00:13:26 UTC 2023
                              x86_64 x86_64
Alert Count                   5067
First Seen                    2022-12-20 05:52:24 CET
Last Seen                     2023-03-07 08:36:31 CET
Local ID                      17dee8f0-8676-4293-a36c-50e5faa4cb55

Raw Audit Messages
type=AVC msg=audit(1678174591.528:431): avc:  denied  { name_bind } for  pid=4309 comm="prosody" src=32165 scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0


Hash: prosody,prosody_t,unreserved_port_t,udp_socket,name_bind


Expected results:
No alert.

Additional info:
The same alert appears with different ports.

Comment 1 Nicolas Berrehouc 2023-08-20 16:58:29 UTC

Still present in F38.

```
SELinux is preventing prosody from name_bind access on the udp_socket port 17166.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.

Do
setsebool -P nis_enabled 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that prosody should be allowed name_bind access on the port 17166 udp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'prosody' --raw | audit2allow -M my-prosody
# semodule -X 300 -i my-prosody.pp


Additional Information:
Source Context                system_u:system_r:prosody_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                port 17166 [ udp_socket ]
Source                        prosody
Source Path                   prosody
Port                          17166
Host                          <REMOVED>
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.24-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.24-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <REMOVED>
Platform                      Linux <REMOVED> 6.4.11-200.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed Aug 16 17:42:12 UTC 2023
                              x86_64
Alert Count                   10561
First Seen                    2022-12-20 05:52:24 CET
Last Seen                     2023-08-20 17:52:04 CEST
Local ID                      17dee8f0-8676-4293-a36c-50e5faa4cb55

Raw Audit Messages
type=AVC msg=audit(1692546724.136:2151): avc:  denied  { name_bind } for  pid=341290 comm="prosody" src=17166 scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0


Hash: prosody,prosody_t,unreserved_port_t,udp_socket,name_bind
```

Additional info:
```
SELinux is preventing prosody from search access on the directory net.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that prosody should be allowed search access on the net directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'prosody' --raw | audit2allow -M my-prosody
# semodule -X 300 -i my-prosody.pp


Additional Information:
Source Context                system_u:system_r:prosody_t:s0
Target Context                system_u:object_r:sysctl_net_t:s0
Target Objects                net [ dir ]
Source                        prosody
Source Path                   prosody
Port                          <Unknown>
Host                          Icaricio
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.24-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.24-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Icaricio
Platform                      Linux Icaricio 6.4.11-200.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed Aug 16 17:42:12 UTC 2023
                              x86_64
Alert Count                   66
First Seen                    2022-12-20 05:52:24 CET
Last Seen                     2023-08-20 17:13:20 CEST
Local ID                      4ed872c5-bc2a-4ba0-9475-ebd8ce2d8b0b

Raw Audit Messages
type=AVC msg=audit(1692544400.418:2108): avc:  denied  { search } for  pid=341290 comm="prosody" name="net" dev="proc" ino=187 scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0


Hash: prosody,prosody_t,sysctl_net_t,dir,search
```

From journald log:
août 20 17:13:20 <REMOVED> prosody[341290]: [1692544400] libunbound[341290:0] error: failed to read from file: /proc/sys/net/ipv4/ip_local_port_range (Permission denied)

Comment 2 Zdenek Pytela 2023-09-14 14:58:05 UTC

Thank you, it looks prosody was updated to use ports from /proc/sys/net/ipv4/ip_local_port_range, therefore policy needs to be adjusted, too.

Comment 3 Fedora Update System 2023-10-02 11:44:05 UTC

FEDORA-2023-b001a7edcc has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-b001a7edcc

Comment 4 Fedora Update System 2023-10-03 03:31:01 UTC

FEDORA-2023-b001a7edcc has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-b001a7edcc`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-b001a7edcc

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Nicolas Berrehouc 2023-10-03 16:39:42 UTC

Thank you for the update. Works fine! Karma +1

Comment 6 Fedora Update System 2023-10-06 01:28:28 UTC

FEDORA-2023-b001a7edcc has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.