Bug 651609 - clustat denied bind to hi_reserved_port_t
Summary: clustat denied bind to hi_reserved_port_t
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.6
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-09 21:39 UTC by Nate Straz
Modified: 2012-11-23 21:07 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-2.4.6-301.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-07-21 09:21:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1069 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-07-21 09:18:27 UTC

Description Nate Straz 2010-11-09 21:39:59 UTC 
Description of problem:

I'm getting some intermittent SELinux AVCs from the ricci_modclusterd_t context when shutting down cman.  During a regression run I hit this 12 times on a three node cluster which stopped cman 50 times.

I'm not sure if this is hiding a bug in clustat in an error case or if the the SELinux policy should be updated to allow binding to tcp ports from 600 to 1024.


Version-Release number of selected component (if applicable):
modcluster-0.12.1-3.el5
rgmanager-2.0.52-7.el5
selinux-policy-2.4.6-289.el5


How reproducible:
24% of the time

Steps to Reproduce:
run whiplash or hokey-pokey on the cluster
  
Actual results:
AVCs in /var/log/audit/audit.log

Expected results:
No AVCs

Additional info:

I haven't noticed this affecting regular cluster operations.
Comment 1 Nate Straz 2010-11-09 21:43:40 UTC 
Example of the AVC and following message:

type=AVC msg=audit(1289314629.926:630): avc:  denied  { name_bind } for  pid=17395 comm="clustat" src=1023 scontext=system_u:system_r:ricci_modclusterd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1289314629.926:630): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7fff2b9b2ff0 a2=1c a3=7fff2b9b3028 items=0 ppid=9731 pid=17395 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="clustat" exe="/usr/sbin/clustat" subj=system_u:system_r:ricci_modclusterd_t:s0 key=(null)
type=AVC msg=audit(1289314629.927:631): avc:  denied  { name_bind } for  pid=17395 comm="clustat" src=611 scontext=system_u:system_r:ricci_modclusterd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1289314629.927:631): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7fff2b9b3010 a2=10 a3=0 items=0 ppid=9731 pid=17395 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="clustat" exe="/usr/sbin/clustat" subj=system_u:system_r:ricci_modclusterd_t:s0 key=(null)
Comment 3 Miroslav Grepl 2011-02-01 11:53:11 UTC 
Nate,
did you setup NIS and cluster environment together.
Comment 4 Daniel Walsh 2011-02-01 16:32:15 UTC 
Does clustat bind to a reserved port?

bindresvport (3)     - bind a socket to a privileged IP port
Comment 5 Daniel Walsh 2011-02-01 16:37:22 UTC 
Miroslav I think the policy should be

corenet_tcp_bind_all_rpc_ports(ricci_modclusterd_t)
Comment 6 Daniel Walsh 2011-02-01 16:38:23 UTC 
Please do this in F13,F14 and RHEL6 also.
Comment 7 Miroslav Grepl 2011-02-01 16:41:33 UTC 
Yes, it looks so.
Comment 8 Lon Hohberger 2011-02-09 22:02:36 UTC 
clustat talks to ccsd via libccs which calls bindresvport()
Comment 9 Daniel Walsh 2011-02-10 14:42:24 UTC 
Thanks Lon.
Comment 10 Miroslav Grepl 2011-03-01 17:07:40 UTC 
Fixed in selinux-policy-2.4.6-301.el5
Comment 13 errata-xmlrpc 2011-07-21 09:21:19 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 14 errata-xmlrpc 2011-07-21 11:49:56 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Note You need to log in before you can comment on or make changes to this bug.