Re: Curious AVC for syslog-ng listening on non-standard TCP Port.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, Jul 10, 2010 at 09:36:30PM +0100, Ted Rule wrote:
> In the course of trying to get a syslog-ng daemon running on a
> non-standard TCP port on CentOS5, I came across an AVC for the port
> which appeared
> to already have a permission in the SELinux Policy.
> 
> 
> We tried to make syslog-ng listen on TCP Port 5514, and as a result we
> got the following set of audit messages:
> 
> 
> $ sudo ausearch -ts yesterday -c syslog-ng 
> ----
> time->Fri Jul  9 23:04:26 2010
> type=SYSCALL msg=audit(1278713066.242:269066): arch=40000003 syscall=102
> success=no exit=-13 a0=2 a1=bfb34210 a2=95b51e8 a3=6 items=0 ppid=1
> pid=1713 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="syslog-ng" exe="/sbin/syslog-ng"
> subj=system_u:system_r:syslogd_t:s0 key=(null)
> type=AVC msg=audit(1278713066.242:269066): avc:  denied  { name_bind }
> for  pid=1713 comm="syslog-ng" src=5514
> scontext=system_u:system_r:syslogd_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> ----
> time->Fri Jul  9 23:04:26 2010
> type=ANOM_ABEND msg=audit(1278713066.291:269067): auid=4294967295 uid=0
> gid=0 ses=4294967295 subj=system_u:system_r:syslogd_t:s0 pid=1713
> comm="syslog-ng" sig=11
> ----
> time->Fri Jul  9 23:27:59 2010
> type=SYSCALL msg=audit(1278714479.797:269169): arch=40000003 syscall=102
> success=no exit=-13 a0=2 a1=bffe96d0 a2=97a6928 a3=6 items=0 ppid=1
> pid=15354 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=44818 comm="syslog-ng" exe="/sbin/syslog-ng"
> subj=user_u:system_r:syslogd_t:s0 key=(null)
> type=AVC msg=audit(1278714479.797:269169): avc:  denied  { name_bind }
> for  pid=15354 comm="syslog-ng" src=5514
> scontext=user_u:system_r:syslogd_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> ----
> time->Fri Jul  9 23:27:59 2010
> type=ANOM_ABEND msg=audit(1278714479.833:269170): auid=500 uid=0 gid=0
> ses=44818 subj=user_u:system_r:syslogd_t:s0 pid=15354 comm="syslog-ng"
> sig=11
> $
> 
> However, despite the fact that the AVC suggested that we needed to add
> the permission:
> 
>    allow syslogd_t port_t : tcp_socket { name_bind name_connect };
> 
> 
> 
> an sesearch suggests that the permission already exists:
> 
> $ sudo sesearch --allow -s syslogd_t | grep tcp |grep name.bind
>    allow syslogd_t rsh_port_t : tcp_socket { name_bind name_connect };
>    allow syslogd_t syslogd_port_t : tcp_socket { name_bind name_connect };
>    allow syslogd_t port_t : tcp_socket { name_bind name_connect };
>    allow syslogd_t reserved_port_t : tcp_socket { name_bind name_connect };
> $


sesearch -SC --allow -s syslogd_t -t port_t
Found 8 semantic av rules:
   allow syslogd_t port_type : tcp_socket { recv_msg send_msg } ; 
   allow syslogd_t port_type : udp_socket { recv_msg send_msg } ; 
DT allow syslogd_t port_type : tcp_socket { recv_msg send_msg } ; [ allow_kerberos ]
DT allow syslogd_t port_type : tcp_socket { recv_msg send_msg } ; [ allow_ypbind ]
DT allow syslogd_t port_type : udp_socket { recv_msg send_msg } ; [ allow_kerberos ]
DT allow syslogd_t port_type : udp_socket { recv_msg send_msg } ; [ allow_ypbind ]
DT allow syslogd_t port_t : tcp_socket { name_bind name_connect } ; [ allow_ypbind ]
DT allow syslogd_t port_t : udp_socket name_bind ; [ allow_ypbind ]

... This means that syslogd_t is only allowed to bind udp/tc sockets to ports with type port_t is booolean allow_ypbind is set to true.

> 
> 
> Eventually, we repaired the situation by adding TCP/5514 as a
> syslogd_port_t, as in:
> 
> $ sudo semanage port -l |grep 514
> cluster_port_t                 tcp      5149, 40040, 50006, 50007, 50008
> cluster_port_t                 udp      5149, 50006, 50007, 50008
> rsh_port_t                     tcp      514
> syslogd_port_t                 tcp      5514
> syslogd_port_t                 udp      514
> virt_port_t                    tcp      16509, 16514
> virt_port_t                    udp      16509, 16514
> $
> 

Good decision

> 
> But my curiousity is piqued. Why did the policy deny the binding to a
> type port_t, when the policy appeared to already allow this?
> 
> 
> FWIW, the policy at the moment is a somewhat aged:
> 
> selinux-policy-targeted-2.4.6-203.el5
> 

Because it a tunable policy rules that obviously currently is toggled to false. Piping the avc denial into audit2why should suggest that

# echo "type=AVC msg=audit(1278714479.797:269169): avc:  denied  { name_bind } for  pid=15354 comm="syslog-ng" src=5514 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket" | audit2why
type=AVC msg=audit(1278714479.797:269169): avc:  denied  { name_bind } for  pid=15354 comm=syslog-ng src=5514 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

	Was caused by:
	The boolean allow_ypbind was set incorrectly. 
	Description:
	Allow system to run with NIS

	Allow access by executing:
	# setsebool -P allow_ypbind 1


> 
> 
> 
> 
> -- 
> Ted Rule
> 
> Director, Layer3 Systems Ltd
> 
> 
> http://www.layer3.co.uk/
> 
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Attachment: pgpKS5cqnY5fi.pgp
Description: PGP signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux