Bug 227720 - SELinux policy doesn't allow bind(2) on raw sockets
SELinux policy doesn't allow bind(2) on raw sockets
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.0
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-07 13:55 EST by Bhavesh Davda
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: RC
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-16 09:26:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Test mini-app that shows bind(2) failure with SELinux (464 bytes, text/x-csrc)
2007-02-07 13:55 EST, Bhavesh Davda
no flags Details

  None (edit)
Description Bhavesh Davda 2007-02-07 13:55:57 EST
Description of problem:

When trying to bind(2) to INADDR_ANY on a SOCK_RAW/IPPROTO_ICMP socket, I get
errno=-EACCES, when SELinux is configured as "targeted".

Version-Release number of selected component (if applicable):


How reproducible:

100% reproducible.

Steps to Reproduce:
1. Compile and run the attached test mini-app.
2. With SELinux completely disabled, the mini-app succeeds to bind(2).
3. With SELinux enabled, the mini-app fails to bind(2) with errno=-EACCES.
  
Actual results:

bind(2) fails.

Expected results:

bind(2) succeeds.

Additional info:

This seems to be an arbitrary policy to disallow a process running as root to
bind(2) a raw socket. I can't imagine any customer requiring such a
configuration, because it's not like you can DoS a host by allowing an
application running as root to bind a raw socket to INADDR_ANY.
Comment 1 Bhavesh Davda 2007-02-07 13:55:57 EST
Created attachment 147587 [details]
Test mini-app that shows bind(2) failure with SELinux
Comment 2 Daniel Walsh 2007-02-14 10:33:21 EST
Are you seeing avc messages in /var/log/audit/audit.log or /var/log/messages
Comment 3 Bhavesh Davda 2007-02-15 12:27:02 EST
Yup:

/var/log/audit/audit.log:

type=AVC msg=audit(1171573264.718:343): avc:  denied  { node_bind } for 
pid=7173 comm="bindicmp" scontext=root:system_r:unconfined_t:s0-s0:c0.c255
tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=rawip_socket
type=SYSCALL msg=audit(1171573264.718:343): arch=40000003 syscall=102 success=no
exit=-13 a0=2 a1=ffb37cc0 a2=48923ff4 a3=487e7ca0 items=0 ppid=7136 pid=7173
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5
comm="bindicmp" exe="/root/bindicmp"
subj=root:system_r:unconfined_t:s0-s0:c0.c255 key=(null)
type=SOCKADDR msg=audit(1171573264.718:343): saddr=0200000000000000087DB3FFA2840408

Nothing interesting in /var/log/messages.
Comment 4 Daniel Walsh 2007-02-15 15:36:30 EST
Which policy are you seeing this with.   

selinux-policy-2.4.6-32.el5 allows this.

Dan
Comment 5 Bhavesh Davda 2007-02-15 15:40:55 EST
I've got selinux-policy-2.3.3-22 installed. 

/etc/redhat-release: Red Hat Enterprise Linux Server release 4.91 (Tikanga)

BTW, how do I figure out what's allowed and what's not as far as SELinux kernel
policies are concerned? i.e. how do I decode
/etc/selinux/targeted/modules/active/policy.kern?

Thanks.
Comment 6 Daniel Walsh 2007-02-16 09:26:52 EST
Please update policy and see if the problem goes away.
You can find the latest policy on http://people.redhat.com/dwalsh/SELinux/RHEL5

If you have setools installed, you can use apol and seinfo to look at the way
policy is constructed.  But it will not be easy to understand.  The goal is to
let every confined process to have all the access they need to get their job
done, and  no more.  unconfined domains should be allowed to do everything they
could do without SELinux installed.  (unconfined_t, initrc_t, inetd_t)

ps -eZ Will show you the security context of all processes running on your system.

Note You need to log in before you can comment on or make changes to this bug.