Bug 704573 - Binding and connecting to a dccp socket raises avc alerts.
Summary: Binding and connecting to a dccp socket raises avc alerts.
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-13 15:59 UTC by Fabian Deutsch
Modified: 2011-05-24 18:24 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1459941 (view as bug list)
Environment:
Last Closed: 2011-05-24 18:24:09 UTC
Type: ---


Attachments (Terms of Use)
dccp_socket (26.30 KB, patch)
2011-05-13 17:29 UTC, Dominick Grift
no flags Details | Diff

Description Fabian Deutsch 2011-05-13 15:59:04 UTC
Description of problem:
The following commands raise avc alerts:

gst-launch videotestsrc ! theoraenc ! dccpserversink

gst-launch dccpclientsrc ! theoradec ! autovideosink

Version-Release number of selected component (if applicable):
Fedora 15 Beta - all updates.
Always.

Steps to Reproduce:
1. See above.
  
Actual results:
AVC alerts

Expected results:
The app is bound to the port and other can connect.

Comment 1 Dominick Grift 2011-05-13 17:29:53 UTC
Created attachment 498825 [details]
dccp_socket

This might be terribly wrong but i think something like this should be implemented. Not sure.

Comment 2 Daniel Walsh 2011-05-17 09:27:00 UTC
Looks good to me, Dominick commit it.

Comment 3 Daniel Walsh 2011-05-17 09:28:55 UTC
Fabian what AVC's are you seeing?

Comment 4 Fabian Deutsch 2011-05-17 10:20:06 UTC
----
time->Fri May 13 17:19:27 2011
type=SYSCALL msg=audit(1305299967.437:683): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=6 a2=21 a3=1 items=0 ppid=31858 pid=392 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts3 ses=32 comm="gst-launch-0.10" exe="/usr/bin/gst-launch-0.10" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1305299967.437:683): avc:  denied  { create } for  pid=392 comm="gst-launch-0.10" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket
----
time->Fri May 13 17:21:16 2011
type=SYSCALL msg=audit(1305300076.077:691): arch=c000003e syscall=54 success=no exit=-13 a0=3 a1=1 a2=2 a3=7fffed38b21c items=0 ppid=31858 pid=468 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts3 ses=32 comm="gst-launch-0.10" exe="/usr/bin/gst-launch-0.10" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1305300076.077:691): avc:  denied  { setopt } for  pid=468 comm="gst-launch-0.10" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket
----
time->Fri May 13 17:22:45 2011
type=SYSCALL msg=audit(1305300165.905:698): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff16a1cce0 a2=10 a3=7fff16a1ccfc items=0 ppid=31858 pid=563 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts3 ses=32 comm="gst-launch-0.10" exe="/usr/bin/gst-launch-0.10" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1305300165.905:698): avc:  denied  { bind } for  pid=563 comm="gst-launch-0.10" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket
----



after fiddling around a bit:



----
time->Fri May 13 17:32:40 2011
type=SYSCALL msg=audit(1305300760.952:712): arch=c000003e syscall=55 success=no exit=-13 a0=3 a1=10d a2=c a3=7fffd27f9a60 items=0 ppid=31858 pid=712 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts3 ses=32 comm="gst-launch-0.10" exe="/usr/bin/gst-launch-0.10" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1305300760.952:712): avc:  denied  { getopt } for  pid=712 comm="gst-launch-0.10" lport=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket
----
time->Fri May 13 17:42:28 2011
type=SYSCALL msg=audit(1305301348.641:759): arch=c000003e syscall=50 success=no exit=-13 a0=3 a1=5 a2=0 a3=7fffb9a13c9c items=0 ppid=31858 pid=1124 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts3 ses=32 comm="gst-launch-0.10" exe="/usr/bin/gst-launch-0.10" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1305301348.641:759): avc:  denied  { listen } for  pid=1124 comm="gst-launch-0.10" lport=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket
----
time->Fri May 13 17:47:21 2011
type=SYSCALL msg=audit(1305301641.165:761): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fff54838300 a2=10 a3=7fff548382fc items=0 ppid=1198 pid=1212 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts6 ses=32 comm="gst-launch-0.10" exe="/usr/bin/gst-launch-0.10" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1305301641.165:761): avc:  denied  { name_connect } for  pid=1212 comm="gst-launch-0.10" dest=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket

Comment 5 Daniel Walsh 2011-05-24 18:24:09 UTC
Applied in selinux-policy-3.9.16-24.fc16


Note You need to log in before you can comment on or make changes to this bug.