On Sat, Jul 10, 2010 at 09:36:30PM +0100, Ted Rule wrote:
In the course of trying to get a syslog-ng daemon running on a
non-standard TCP port on CentOS5, I came across an AVC for the port
which appeared
to already have a permission in the SELinux Policy.
We tried to make syslog-ng listen on TCP Port 5514, and as a result we
got the following set of audit messages:
$ sudo ausearch -ts yesterday -c syslog-ng
----
time->Fri Jul 9 23:04:26 2010
type=SYSCALL msg=audit(1278713066.242:269066): arch=40000003 syscall=102
success=no exit=-13 a0=2 a1=bfb34210 a2=95b51e8 a3=6 items=0 ppid=1
pid=1713 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="syslog-ng"
exe="/sbin/syslog-ng"
subj=system_u:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1278713066.242:269066): avc: denied { name_bind }
for pid=1713 comm="syslog-ng" src=5514
scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
----
time->Fri Jul 9 23:04:26 2010
type=ANOM_ABEND msg=audit(1278713066.291:269067): auid=4294967295 uid=0
gid=0 ses=4294967295 subj=system_u:system_r:syslogd_t:s0 pid=1713
comm="syslog-ng" sig=11
----
time->Fri Jul 9 23:27:59 2010
type=SYSCALL msg=audit(1278714479.797:269169): arch=40000003 syscall=102
success=no exit=-13 a0=2 a1=bffe96d0 a2=97a6928 a3=6 items=0 ppid=1
pid=15354 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=44818 comm="syslog-ng" exe="/sbin/syslog-ng"
subj=user_u:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1278714479.797:269169): avc: denied { name_bind }
for pid=15354 comm="syslog-ng" src=5514
scontext=user_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
----
time->Fri Jul 9 23:27:59 2010
type=ANOM_ABEND msg=audit(1278714479.833:269170): auid=500 uid=0 gid=0
ses=44818 subj=user_u:system_r:syslogd_t:s0 pid=15354 comm="syslog-ng"
sig=11
$
However, despite the fact that the AVC suggested that we needed to add
the permission:
allow syslogd_t port_t : tcp_socket { name_bind name_connect };
an sesearch suggests that the permission already exists:
$ sudo sesearch --allow -s syslogd_t | grep tcp |grep name.bind
allow syslogd_t rsh_port_t : tcp_socket { name_bind name_connect };
allow syslogd_t syslogd_port_t : tcp_socket { name_bind name_connect };
allow syslogd_t port_t : tcp_socket { name_bind name_connect };
allow syslogd_t reserved_port_t : tcp_socket { name_bind name_connect };
$
sesearch -SC --allow -s syslogd_t -t port_t
Found 8 semantic av rules:
allow syslogd_t port_type : tcp_socket { recv_msg send_msg } ;
allow syslogd_t port_type : udp_socket { recv_msg send_msg } ;
DT allow syslogd_t port_type : tcp_socket { recv_msg send_msg } ; [ allow_kerberos ]
DT allow syslogd_t port_type : tcp_socket { recv_msg send_msg } ; [ allow_ypbind ]
DT allow syslogd_t port_type : udp_socket { recv_msg send_msg } ; [ allow_kerberos ]
DT allow syslogd_t port_type : udp_socket { recv_msg send_msg } ; [ allow_ypbind ]
DT allow syslogd_t port_t : tcp_socket { name_bind name_connect } ; [ allow_ypbind ]
DT allow syslogd_t port_t : udp_socket name_bind ; [ allow_ypbind ]
... This means that syslogd_t is only allowed to bind udp/tc sockets to ports with type
port_t is booolean allow_ypbind is set to true.
Eventually, we repaired the situation by adding TCP/5514 as a
syslogd_port_t, as in:
$ sudo semanage port -l |grep 514
cluster_port_t tcp 5149, 40040, 50006, 50007, 50008
cluster_port_t udp 5149, 50006, 50007, 50008
rsh_port_t tcp 514
syslogd_port_t tcp 5514
syslogd_port_t udp 514
virt_port_t tcp 16509, 16514
virt_port_t udp 16509, 16514
$
Good decision
But my curiousity is piqued. Why did the policy deny the binding to a
type port_t, when the policy appeared to already allow this?
FWIW, the policy at the moment is a somewhat aged:
selinux-policy-targeted-2.4.6-203.el5
Because it a tunable policy rules that obviously currently is toggled to false. Piping the
avc denial into audit2why should suggest that
# echo "type=AVC msg=audit(1278714479.797:269169): avc: denied { name_bind } for
pid=15354 comm="syslog-ng" src=5514 scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket" | audit2why
type=AVC msg=audit(1278714479.797:269169): avc: denied { name_bind } for pid=15354
comm=syslog-ng src=5514 scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
Was caused by:
The boolean allow_ypbind was set incorrectly.
Description:
Allow system to run with NIS
Allow access by executing:
# setsebool -P allow_ypbind 1
--
Ted Rule
Director, Layer3 Systems Ltd
http://www.layer3.co.uk/
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux