493811 – SELinux AVC produced by bind

Bug 493811 - SELinux AVC produced by bind

Summary: SELinux AVC produced by bind

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-04-03 08:24 UTC by Tomas Mraz
Modified:	2009-04-06 14:54 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-04-06 14:54:02 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tomas Mraz 2009-04-03 08:24:10 UTC

I see this AVC from named process on Fedora Rawhide.

rpm -q selinux-policy bind
selinux-policy-3.6.8-3.fc11.noarch
bind-9.6.0-11.P1.fc11.x86_64

node=vespa.frost.loc type=AVC msg=audit(1238742533.24:177): avc: denied { name_bind } for pid=2167 comm="named" src=4321 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:whois_port_t:s0 tclass=udp_socket
node=vespa.frost.loc type=SYSCALL msg=audit(1238742533.24:177): arch=c000003e syscall=49 success=no exit=-13 a0=202 a1=7f05eecea5b0 a2=10 a3=7f05eecea3b4 items=0 ppid=1 pid=2167 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)

Bind should be allowed to listen on any udp socket >= 1024.

Comment 1 Adam Tkac 2009-04-03 12:24:15 UTC

Reassigning to proper component. As written in original comment named should be allowed to bind(2) any unprivileged port.

Comment 2 Daniel Walsh 2009-04-06 13:12:03 UTC

The policy does exist to allow named to bind to all ports > 1024 except for those labels that include ports < 1024.  So whois_port_t will is labeled as a port which is less then 1024 because some of it includes port 43.  Adam if bind fails to bind to this port will it try again?

Comment 3 Adam Tkac 2009-04-06 14:23:18 UTC

(In reply to comment #2)
> The policy does exist to allow named to bind to all ports > 1024 except for
> those labels that include ports < 1024.  So whois_port_t will is labeled as a
> port which is less then 1024 because some of it includes port 43.  Adam if bind
> fails to bind to this port will it try again?  

Yes. If if fails to bind(2) the port it tries it again (1024 times and after that it asks kernel for random port).

Comment 4 Daniel Walsh 2009-04-06 14:30:24 UTC

So it Trys port 4321  before moving on?

I can add a dontaudit to remove the avc, if it will eventually work.  There are probably less then 50 ports which can cause this problem.

Comment 5 Adam Tkac 2009-04-06 14:41:33 UTC

If you don't audit that message everything will work fine.

I don't know SELinux internals well but such change looks like a hack for me, not a patch ;)

Comment 6 Daniel Walsh 2009-04-06 14:54:02 UTC

Yes this is closer to a hack then a patch.  The problem we have labeled ports

43 and 4321 as whois_port_t which is what the kernel/SELinux sees, But the code that compiles the policy adds attributes to all ports types including ports < 1024 as reserved_ports_type.  All ports have attributes of port_type, The interface to allow a domain to bind to all unreserved ports has code that looks like

allow named_t { ports_type -reserved_ports_type }:udp_socket name_bind;

So in this case we do not allow named_t to bind to any ports that are labeled as a reserved_port_type, including rwhois.

Fixed in selinux-policy-3.6.10-10

Note You need to log in before you can comment on or make changes to this bug.