Re: udp bind() fails with EACCESS when selinux enforcing, but no audit messages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm pretty sure this doesn't have anything to do with the kernel end but
is probably some sort of policy issue instead. I've CCed the
fedora-selinux list for an answer. The CC to linux-kernel should
probably be dropped from the reply there.

Dave

On Thu, 2008-09-11 at 17:34 +0200, Enrique Perez-Terron wrote:
> Fedora core 9 stock kernel 2.6.25.108 i586
> 
> Udp bind() fails with EACCESS when selinux enforcing, but no audit
> messages.
> 
> How to reproduce:
> 
> In startup scripts, configure rpc.statd to use the fixed port 34.
> This port does not occur in /etc/services
> (In /etc/sysconfig/nfs, STATD_PORT=34)
> 
> Write the following script, run it with bash -x.
> 
> #!/bin/bash
> 
> TESTDIR=/var/tmp/se-bind-test-$$
> mkdir $TESTDIR  # to hold about 50 files
> cd $TESTDIR
> 
> # Stop NFS:
> service nfs stop
> service nfslock stop
> 
> # Gather some baseline data for easy comparison
> echo 1 /selinux/enforce  # just in case
> dmesg                       > dmesg-enforc-before
> wc /var/log/audit/audit.log > audit-enforc-before
> 
> # This fails
> strace -o enforc -ff service nfslock start
> 
> # But no new messages in logs
> dmesg                       > dmesg-enforc-after
> wc /var/log/audit/audit.log > audit-enforc-after
> 
> # Try again in permissive mode
> echo 0 /selinux/enforce
> dmesg                       > dmesg-nonenf-before
> wc /var/log/audit/audit.log > audit-nonenf-before
> 
> # Since this works, daemon starts, and strace hangs on
> # Need sigkill; sigint does not work. Why?
> (sleep 5; killall -9 strace) &
> strace -o nonenf -ff service nfslock start
> 
> # Just for symmetry
> dmesg                       > dmesg-nonenf-after
> wc /var/log/audit/audit.log > audit-nonenf-after
> 
> # Check that there are no audits.
> diff dmesg-enforc-before dmesg-enforc-after
> diff audit-enforc-before audit-enforc-after
> 
> # There are several other calls to bind() that are not prevented
> grep -E '^bind|^socket' enforc.*
> grep -E '^bind|^socket' nonenf.*
> 
> Regards
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux