I'm pretty sure this doesn't have anything to do with the kernel end but is probably some sort of policy issue instead. I've CCed the fedora-selinux list for an answer. The CC to linux-kernel should probably be dropped from the reply there.
Dave
On Thu, 2008-09-11 at 17:34 +0200, Enrique Perez-Terron wrote:
Fedora core 9 stock kernel 2.6.25.108 i586
Udp bind() fails with EACCESS when selinux enforcing, but no audit messages.
How to reproduce:
In startup scripts, configure rpc.statd to use the fixed port 34. This port does not occur in /etc/services (In /etc/sysconfig/nfs, STATD_PORT=34)
Write the following script, run it with bash -x.
#!/bin/bash
TESTDIR=/var/tmp/se-bind-test-$$ mkdir $TESTDIR # to hold about 50 files cd $TESTDIR
# Stop NFS: service nfs stop service nfslock stop
# Gather some baseline data for easy comparison echo 1 /selinux/enforce # just in case dmesg > dmesg-enforc-before wc /var/log/audit/audit.log > audit-enforc-before
# This fails strace -o enforc -ff service nfslock start
# But no new messages in logs dmesg > dmesg-enforc-after wc /var/log/audit/audit.log > audit-enforc-after
# Try again in permissive mode echo 0 /selinux/enforce dmesg > dmesg-nonenf-before wc /var/log/audit/audit.log > audit-nonenf-before
# Since this works, daemon starts, and strace hangs on # Need sigkill; sigint does not work. Why? (sleep 5; killall -9 strace) & strace -o nonenf -ff service nfslock start
# Just for symmetry dmesg > dmesg-nonenf-after wc /var/log/audit/audit.log > audit-nonenf-after
# Check that there are no audits. diff dmesg-enforc-before dmesg-enforc-after diff audit-enforc-before audit-enforc-after
# There are several other calls to bind() that are not prevented grep -E '^bind|^socket' enforc.* grep -E '^bind|^socket' nonenf.*
Regards
-- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
David P. Quigley wrote:
I'm pretty sure this doesn't have anything to do with the kernel end but is probably some sort of policy issue instead. I've CCed the fedora-selinux list for an answer. The CC to linux-kernel should probably be dropped from the reply there.
Dave
On Thu, 2008-09-11 at 17:34 +0200, Enrique Perez-Terron wrote:
Fedora core 9 stock kernel 2.6.25.108 i586
Udp bind() fails with EACCESS when selinux enforcing, but no audit messages.
How to reproduce:
In startup scripts, configure rpc.statd to use the fixed port 34. This port does not occur in /etc/services (In /etc/sysconfig/nfs, STATD_PORT=34)
Write the following script, run it with bash -x.
#!/bin/bash
TESTDIR=/var/tmp/se-bind-test-$$ mkdir $TESTDIR # to hold about 50 files cd $TESTDIR
# Stop NFS: service nfs stop service nfslock stop
# Gather some baseline data for easy comparison echo 1 /selinux/enforce # just in case dmesg > dmesg-enforc-before wc /var/log/audit/audit.log > audit-enforc-before
# This fails strace -o enforc -ff service nfslock start
# But no new messages in logs dmesg > dmesg-enforc-after wc /var/log/audit/audit.log > audit-enforc-after
# Try again in permissive mode echo 0 /selinux/enforce dmesg > dmesg-nonenf-before wc /var/log/audit/audit.log > audit-nonenf-before
# Since this works, daemon starts, and strace hangs on # Need sigkill; sigint does not work. Why? (sleep 5; killall -9 strace) & strace -o nonenf -ff service nfslock start
# Just for symmetry dmesg > dmesg-nonenf-after wc /var/log/audit/audit.log > audit-nonenf-after
# Check that there are no audits. diff dmesg-enforc-before dmesg-enforc-after diff audit-enforc-before audit-enforc-after
# There are several other calls to bind() that are not prevented grep -E '^bind|^socket' enforc.* grep -E '^bind|^socket' nonenf.*
Regards
-- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
semodule -DB
Will remove all dontaudit rules.
Then run your service script.
semodule -B
Will put them back.
You have yum -y upgrade selinux-policy*
selinux@lists.fedoraproject.org