Description of problem: When trying to bind(2) to INADDR_ANY on a SOCK_RAW/IPPROTO_ICMP socket, I get errno=-EACCES, when SELinux is configured as "targeted". Version-Release number of selected component (if applicable): How reproducible: 100% reproducible. Steps to Reproduce: 1. Compile and run the attached test mini-app. 2. With SELinux completely disabled, the mini-app succeeds to bind(2). 3. With SELinux enabled, the mini-app fails to bind(2) with errno=-EACCES. Actual results: bind(2) fails. Expected results: bind(2) succeeds. Additional info: This seems to be an arbitrary policy to disallow a process running as root to bind(2) a raw socket. I can't imagine any customer requiring such a configuration, because it's not like you can DoS a host by allowing an application running as root to bind a raw socket to INADDR_ANY.
Created attachment 147587 [details] Test mini-app that shows bind(2) failure with SELinux
Are you seeing avc messages in /var/log/audit/audit.log or /var/log/messages
Yup: /var/log/audit/audit.log: type=AVC msg=audit(1171573264.718:343): avc: denied { node_bind } for pid=7173 comm="bindicmp" scontext=root:system_r:unconfined_t:s0-s0:c0.c255 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=rawip_socket type=SYSCALL msg=audit(1171573264.718:343): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=ffb37cc0 a2=48923ff4 a3=487e7ca0 items=0 ppid=7136 pid=7173 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 comm="bindicmp" exe="/root/bindicmp" subj=root:system_r:unconfined_t:s0-s0:c0.c255 key=(null) type=SOCKADDR msg=audit(1171573264.718:343): saddr=0200000000000000087DB3FFA2840408 Nothing interesting in /var/log/messages.
Which policy are you seeing this with. selinux-policy-2.4.6-32.el5 allows this. Dan
I've got selinux-policy-2.3.3-22 installed. /etc/redhat-release: Red Hat Enterprise Linux Server release 4.91 (Tikanga) BTW, how do I figure out what's allowed and what's not as far as SELinux kernel policies are concerned? i.e. how do I decode /etc/selinux/targeted/modules/active/policy.kern? Thanks.
Please update policy and see if the problem goes away. You can find the latest policy on http://people.redhat.com/dwalsh/SELinux/RHEL5 If you have setools installed, you can use apol and seinfo to look at the way policy is constructed. But it will not be easy to understand. The goal is to let every confined process to have all the access they need to get their job done, and no more. unconfined domains should be allowed to do everything they could do without SELinux installed. (unconfined_t, initrc_t, inetd_t) ps -eZ Will show you the security context of all processes running on your system.