Bug 227720 - SELinux policy doesn't allow bind(2) on raw sockets
Summary: SELinux policy doesn't allow bind(2) on raw sockets
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.0
Hardware: All
OS: Linux
medium
urgent
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-02-07 18:55 UTC by Bhavesh Davda
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Fixed In Version: RC
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-02-16 14:26:52 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Test mini-app that shows bind(2) failure with SELinux (464 bytes, text/x-csrc)
2007-02-07 18:55 UTC, Bhavesh Davda 		no flags Details
View All

Description Bhavesh Davda 2007-02-07 18:55:57 UTC 
Description of problem:

When trying to bind(2) to INADDR_ANY on a SOCK_RAW/IPPROTO_ICMP socket, I get
errno=-EACCES, when SELinux is configured as "targeted".

Version-Release number of selected component (if applicable):


How reproducible:

100% reproducible.

Steps to Reproduce:
1. Compile and run the attached test mini-app.
2. With SELinux completely disabled, the mini-app succeeds to bind(2).
3. With SELinux enabled, the mini-app fails to bind(2) with errno=-EACCES.
  
Actual results:

bind(2) fails.

Expected results:

bind(2) succeeds.

Additional info:

This seems to be an arbitrary policy to disallow a process running as root to
bind(2) a raw socket. I can't imagine any customer requiring such a
configuration, because it's not like you can DoS a host by allowing an
application running as root to bind a raw socket to INADDR_ANY.
Comment 1 Bhavesh Davda 2007-02-07 18:55:57 UTC 
Created attachment 147587 [details]
Test mini-app that shows bind(2) failure with SELinux
Comment 2 Daniel Walsh 2007-02-14 15:33:21 UTC 
Are you seeing avc messages in /var/log/audit/audit.log or /var/log/messages
Comment 3 Bhavesh Davda 2007-02-15 17:27:02 UTC 
Yup:

/var/log/audit/audit.log:

type=AVC msg=audit(1171573264.718:343): avc:  denied  { node_bind } for 
pid=7173 comm="bindicmp" scontext=root:system_r:unconfined_t:s0-s0:c0.c255
tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=rawip_socket
type=SYSCALL msg=audit(1171573264.718:343): arch=40000003 syscall=102 success=no
exit=-13 a0=2 a1=ffb37cc0 a2=48923ff4 a3=487e7ca0 items=0 ppid=7136 pid=7173
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5
comm="bindicmp" exe="/root/bindicmp"
subj=root:system_r:unconfined_t:s0-s0:c0.c255 key=(null)
type=SOCKADDR msg=audit(1171573264.718:343): saddr=0200000000000000087DB3FFA2840408

Nothing interesting in /var/log/messages.
Comment 4 Daniel Walsh 2007-02-15 20:36:30 UTC 
Which policy are you seeing this with.   

selinux-policy-2.4.6-32.el5 allows this.

Dan
Comment 5 Bhavesh Davda 2007-02-15 20:40:55 UTC 
I've got selinux-policy-2.3.3-22 installed. 

/etc/redhat-release: Red Hat Enterprise Linux Server release 4.91 (Tikanga)

BTW, how do I figure out what's allowed and what's not as far as SELinux kernel
policies are concerned? i.e. how do I decode
/etc/selinux/targeted/modules/active/policy.kern?

Thanks.
Comment 6 Daniel Walsh 2007-02-16 14:26:52 UTC 
Please update policy and see if the problem goes away.
You can find the latest policy on http://people.redhat.com/dwalsh/SELinux/RHEL5

If you have setools installed, you can use apol and seinfo to look at the way
policy is constructed.  But it will not be easy to understand.  The goal is to
let every confined process to have all the access they need to get their job
done, and  no more.  unconfined domains should be allowed to do everything they
could do without SELinux installed.  (unconfined_t, initrc_t, inetd_t)

ps -eZ Will show you the security context of all processes running on your system.
Note You need to log in before you can comment on or make changes to this bug.