On 11/03/2014 10:34 AM, Lukas Zapletal wrote:
Is it safe to allow UDP binds for all unprivileged ports?
One interesting fact. On RHEL6 this is non-fatal for our application (it
somehow resolves and carries on):
time->Mon Nov 3 04:26:06 2014
type=SYSCALL msg=audit(1415006766.148:417): arch=c000003e syscall=49
success=yes exit=0 a0=10 a1=7fef24905c40 a2=10 a3=40 items=0 ppid=2492
pid=2636 auid=4294967295 uid=497 gid=497 euid=497 suid=497 fsuid=497
egid=497 sgid=497 fsgid=497 tty=(none) ses=4294967295 comm="ruby"
exe="/opt/rh/ruby193/root/usr/bin/ruby"
subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1415006766.148:417): avc: denied { name_bind } for
pid=2636 comm="ruby" src=5421 scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
On Fedora 19/RHEL7 this is fatal error (backtrace with a port bind error):
time->Mon Nov 3 04:15:14 2014
type=SYSCALL msg=audit(1415006114.607:819): arch=c000003e syscall=49
success=yes exit=0 a0=10 a1=7f9615448ec0 a2=10 a3=0 items=0 ppid=1
pid=31178 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997
egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="ruby"
exe="/opt/rh/ruby193/root/usr/bin/ruby"
subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1415006114.607:819): avc: denied { name_bind } for
pid=31178 comm="ruby" src=29817
scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket
We do use Ruby 1.9.3 in all cases from Software Collections.
I see a difference in the target type: port_t vs unreserved_port_t. I
tried multiple times with the same result.
Yes, this is a change in RHEL7. Basically you will need to allow it as
we do it rpc_domain, puppetmaster_t, vpnc_t ...
corenet_udp_bind_generic_port()
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
