Bug 432365 - named AVC: name_bind to bgp_port_t
named AVC: name_bind to bgp_port_t
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-11 11:23 EST by Pekka Savola
Modified: 2008-11-17 17:03 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:03:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pekka Savola 2008-02-11 11:23:44 EST
It appears that named tried to open source port 2605 (earmarked to quagga) more
or less by accident, which would have caused a Selinux failure.

Named has a lot of ports open, probably in order to make query IDs and ports
less prone to DNS response spoofing attacks.  Below is a list on my home server.

tcp        0      0 192.168.1.2:53              0.0.0.0:*                  
LISTEN      26027/named         
tcp        0      0 127.0.0.1:53                0.0.0.0:*                  
LISTEN      26027/named         
tcp        0      0 127.0.0.1:953               0.0.0.0:*                  
LISTEN      26027/named         
tcp        0      0 ::1:53                      :::*                       
LISTEN      26027/named         
tcp        0      0 ::1:953                     :::*                       
LISTEN      26027/named         
udp        0      0 0.0.0.0:42758               0.0.0.0:*                      
        26027/named         
udp        0      0 0.0.0.0:26133               0.0.0.0:*                      
        26027/named         
udp        0      0 0.0.0.0:7588                0.0.0.0:*                      
        26027/named         
udp        0      0 0.0.0.0:50474               0.0.0.0:*                      
        26027/named         
udp        0      0 0.0.0.0:60587               0.0.0.0:*                      
        26027/named         
udp        0      0 0.0.0.0:1581                0.0.0.0:*                      
        26027/named         
udp        0      0 192.168.1.2:53              0.0.0.0:*                      
        26027/named         
udp        0      0 127.0.0.1:53                0.0.0.0:*                      
        26027/named         
udp        0      0 0.0.0.0:36282               0.0.0.0:*                      
        26027/named         
udp        0      0 0.0.0.0:5438                0.0.0.0:*                      
        26027/named         
udp        0      0 0.0.0.0:30784               0.0.0.0:*                      
        26027/named         
udp        0      0 0.0.0.0:33472               0.0.0.0:*                      
        26027/named         
udp        0      0 0.0.0.0:38086               0.0.0.0:*                      
        26027/named         
udp        0      0 0.0.0.0:33099               0.0.0.0:*                      
        26027/named         
udp        0      0 0.0.0.0:37074               0.0.0.0:*                      
        26027/named         
udp        0      0 0.0.0.0:45911               0.0.0.0:*                      
        26027/named         
udp        0      0 0.0.0.0:51550               0.0.0.0:*                      
        26027/named         
udp        0      0 0.0.0.0:30705               0.0.0.0:*                      
        26027/named         
udp        0      0 0.0.0.0:1656                0.0.0.0:*                      
        26027/named         
udp        0      0 :::5763                     :::*                           
        26027/named         
udp        0      0 :::34310                    :::*                           
        26027/named         
udp        0      0 :::6537                     :::*                           
        26027/named         
udp        0      0 :::11667                    :::*                           
        26027/named         
udp        0      0 :::1701                     :::*                           
        26027/named         
udp        0      0 :::30246                    :::*                           
        26027/named         
udp        0      0 :::35754                    :::*                           
        26027/named         
udp        0      0 :::26029                    :::*                           
        26027/named         
udp        0      0 :::19503                    :::*                           
        26027/named         
udp        0      0 ::1:53                      :::*                           
        26027/named         
udp        0      0 :::40763                    :::*                           
        26027/named         
udp        0      0 :::33100                    :::*                           
        26027/named         
udp        0      0 :::52441                    :::*                           
        26027/named         
udp        0      0 :::41580                    :::*                           
        26027/named         
udp        0      0 :::11248                    :::*                           
        26027/named         
udp        0      0 :::46321                    :::*                           
        26027/named         
udp        0      0 :::53241                    :::*                           
        26027/named         
udp        0      0 :::58107                    :::*                           
        26027/named         


=============

Summary:

SELinux is preventing named(/usr/sbin/named) (named_t) "name_bind" to <Unknown>
(bgp_port_t).

Detailed Description:

[SELinux in permissive mode, the operation would have been denied but was
permitted due to enforcing mode.]

SELinux denied access requested by named(/usr/sbin/named). It is not expected
that this access is required by named(/usr/sbin/named) and this access may
signal an intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:named_t
Target Context                system_u:object_r:bgp_port_t
Target Objects                None [ udp_socket ]
Source                        named(/usr/sbin/named)
Port                          2605
Host                          gap.netcore.fi
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.0.8-83.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     gap.netcore.fi
Platform                      Linux gap.netcore.fi 2.6.23.14-107.fc8 #1 SMP Mon
                              Jan 14 21:37:30 EST 2008 i686 athlon
Alert Count                   1
First Seen                    Mon 11 Feb 2008 07:47:01 AM EET
Last Seen                     Mon 11 Feb 2008 07:47:01 AM EET
Local ID                      cc35bb73-032c-411c-a92e-c9582ade92f3
Line Numbers                  

Raw Audit Messages            

host=gap.netcore.fi type=AVC msg=audit(1202708821.728:3693): avc:  denied  {
name_bind } for  pid=26028 comm="named" src=2605
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:bgp_port_t:s0 tclass=udp_socket

host=gap.netcore.fi type=SYSCALL msg=audit(1202708821.728:3693): arch=40000003
syscall=102 success=yes exit=0 a0=2 a1=b7ed8f00 a2=46c214 a3=b7f14588 items=0
ppid=1 pid=26028 auid=500 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25
fsgid=25 tty=(none) comm="named" exe="/usr/sbin/named"
subj=unconfined_u:system_r:named_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-02-11 14:43:03 EST
Yes this is one of the few ports that this could happen too.

Fixed in selinux-policy-3.0.8-84.fc8

SELinux labels ports < 1024 as reserved_port_type, but a few ports > 1024 ended
up with this label, if they had ports also defined < 1024.

network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)

So bgp_port_t has some ports < 1024 and some greater, which causes the problem.
Comment 2 Daniel Walsh 2008-11-17 17:03:03 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.