This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 493811 - SELinux AVC produced by bind
SELinux AVC produced by bind
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-03 04:24 EDT by Tomas Mraz
Modified: 2009-04-06 10:54 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-06 10:54:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Mraz 2009-04-03 04:24:10 EDT
I see this AVC from named process on Fedora Rawhide.

rpm -q selinux-policy bind
selinux-policy-3.6.8-3.fc11.noarch
bind-9.6.0-11.P1.fc11.x86_64

node=vespa.frost.loc type=AVC msg=audit(1238742533.24:177): avc: denied { name_bind } for pid=2167 comm="named" src=4321 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:whois_port_t:s0 tclass=udp_socket
node=vespa.frost.loc type=SYSCALL msg=audit(1238742533.24:177): arch=c000003e syscall=49 success=no exit=-13 a0=202 a1=7f05eecea5b0 a2=10 a3=7f05eecea3b4 items=0 ppid=1 pid=2167 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)

Bind should be allowed to listen on any udp socket >= 1024.
Comment 1 Adam Tkac 2009-04-03 08:24:15 EDT
Reassigning to proper component. As written in original comment named should be allowed to bind(2) any unprivileged port.
Comment 2 Daniel Walsh 2009-04-06 09:12:03 EDT
The policy does exist to allow named to bind to all ports > 1024 except for those labels that include ports < 1024.  So whois_port_t will is labeled as a port which is less then 1024 because some of it includes port 43.  Adam if bind fails to bind to this port will it try again?
Comment 3 Adam Tkac 2009-04-06 10:23:18 EDT
(In reply to comment #2)
> The policy does exist to allow named to bind to all ports > 1024 except for
> those labels that include ports < 1024.  So whois_port_t will is labeled as a
> port which is less then 1024 because some of it includes port 43.  Adam if bind
> fails to bind to this port will it try again?  

Yes. If if fails to bind(2) the port it tries it again (1024 times and after that it asks kernel for random port).
Comment 4 Daniel Walsh 2009-04-06 10:30:24 EDT
So it Trys port 4321  before moving on?

I can add a dontaudit to remove the avc, if it will eventually work.  There are probably less then 50 ports which can cause this problem.
Comment 5 Adam Tkac 2009-04-06 10:41:33 EDT
If you don't audit that message everything will work fine.

I don't know SELinux internals well but such change looks like a hack for me, not a patch ;)
Comment 6 Daniel Walsh 2009-04-06 10:54:02 EDT
Yes this is closer to a hack then a patch.  The problem we have labeled ports

43 and 4321 as whois_port_t which is what the kernel/SELinux sees, But the code that compiles the policy adds attributes to all ports types including ports < 1024 as reserved_ports_type.  All ports have attributes of port_type, The interface to allow a domain to bind to all unreserved ports has code that looks like

allow named_t { ports_type -reserved_ports_type }:udp_socket name_bind;

So in this case we do not allow named_t to bind to any ports that are labeled as a reserved_port_type, including rwhois.

Fixed in selinux-policy-3.6.10-10

Note You need to log in before you can comment on or make changes to this bug.