The linux-igd package in Fedora 9 doesn't seem to function at all in
its default configuration with SELinux enabled.
It's a UPnP IGD implementation which calls iptables to automatically
add requested port forwarding DNAT entries to the nat table's
PREROUTING chain, and the filter table's FORWARD chain.
Two runs through audit2allow made me a module which allows it to
function, however, I'm worried whether the automatically generated
rules are sensible, or if it's even normal that a Fedora 9 package by
default just wouldn't work at all with SELinux enforcing on. Thanks
for any insight.
The upnpd runs as root.
The package versions:
linux-igd-1.0-5.fc9.i386
selinux-policy-targeted-3.3.1-79.fc9.noarch
Audit messages:
type=1400 audit(1217802519.747:3819): avc: denied { read write }
for pid=7890 comm="iptables" path="socket:[133770]" dev=sockfs
ino=133770 scontext=unconfined_u:system_r:iptables_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=udp_socket
type=1400 audit(1217804575.392:3820): avc: denied { read write }
for pid=8058 comm="iptables" path="socket:[133769]" dev=sockfs
ino=133769 scontext=unconfined_u:system_r:iptables_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=1401 audit(1217811758.594:3828): security_compute_sid: invalid
context unconfined_u:unconfined_r:insmod_t:s0-s0:c0.c1023 for
scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:insmod_exec_t:s0 tclass=process
The auto-generated module which allows it to function:
module myupnpd 1.0.1;
require {
type iptables_t;
type initrc_t;
type insmod_t;
role unconfined_r;
class tcp_socket { read write };
class udp_socket { read write };
}
#============= ROLES ==============
role unconfined_r types insmod_t;
#============= iptables_t ==============
allow iptables_t initrc_t:tcp_socket { read write };
allow iptables_t initrc_t:udp_socket { read write };
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
