Re: selinux and sctp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 05/26/2009 11:32 PM, Paul Moore wrote: 
On Monday 25 May 2009 07:16:06 am Daniel J Walsh wrote:
  
On 05/24/2009 06:00 AM, Nigel Rumens wrote:
    
Hi,

Does selinux understand sctp?

When I run (for example)

sctp_darn -H 0 -P 9876 -l

It results in an avc denial message which tells me the target object is
of type None[rawip_socket]

Also semanage port -l shows only udp and tcp

Machine tested on was F11 (fully updated) - I also tried it F10 with the
same results
      

Hi Nigel,

Can you send us the AVC denial messages?  If you are running a recent kernel 
(F11/Rawhide should qualify and F10 will likely as well) there should only be 
a handful of areas where you should be hitting transport protocol specific 
code that isn't SCTP aware in the kernel, it would be nice to verify that so 
we could better identify what work needs to be done.

Certainly - here you are.

Summary
SELinux is preventing the sctp_darn (unconfined_t) from binding to port 9876.
Detailed Description
SELinux has denied the sctp_darn from binding to a network port 9876 which does not have an SELinux type associated with it. If sctp_darn is supposed to be allowed to listen on this port, you can use the semanage command to add this port to a port type that unconfined_t can bind to. semanage port -l will list all port types. Please file a bug report against the selinux-policy package. If sctp_darn is not supposed to bind to this port, this could signal a intrusion attempt. If this system is running as an NIS Client, turning on the allow_ypbind boolean, may fix the problem. setsebool -P allow_ypbind=1.
Allowing Access
If you want to allow sctp_darn to bind to this port semanage port -a -t PORT_TYPE -p PROTOCOL 9876 Where PORT_TYPE is a type that unconfined_t can bind and PROTOCOL is udp or tcp.
Additional Information
Source Context:      unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Target Context:      system_u:object_r:port_t:s0
Target Objects:      None [ rawip_socket ]
Source:      sctp_darn
Source Path:      /usr/bin/sctp_darn
Port:      9876
Host:      bear.cwb.uk
Source RPM Packages:      lksctp-tools-1.0.10-1.fc11
Target RPM Packages:     
Policy RPM:      selinux-policy-3.6.12-34.fc11
Selinux Enabled:      True
Policy Type:      targeted
MLS Enabled:      True
Enforcing Mode:      Enforcing
Plugin Name:      bind_ports
Host Name:      bear.cwb.uk
Platform:      Linux bear.cwb.uk 2.6.29.3-140.fc11.x86_64 #1 SMP Tue May 12 10:44:27 EDT 2009 x86_64 x86_64
Alert Count:      1
First Seen:      Fri May 22 07:46:59 2009
Last Seen:      Fri May 22 07:46:59 2009
Local ID:      73919917-a2a5-409c-b29d-1eb84b1acc04
Line Numbers:     

Raw Audit Messages :

node=bear.cwb.uk type=AVC msg=audit(1242974819.377:32014): avc: denied { name_bind } for pid=14773 comm="sctp_darn" src="" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=rawip_socket
node=bear.cwb.uk type=SYSCALL msg=audit(1242974819.377:32014): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff08b0bdd0 a2=10 a3=7fff08b0bdc0 items=0 ppid=14732 pid=14773 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts2 ses=51 comm="sctp_darn" exe="/usr/bin/sctp_darn" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux