12:44 p.m.
I'm pretty sure this doesn't have anything to do with the kernel end but
is probably some sort of policy issue instead. I've CCed the
fedora-selinux list for an answer. The CC to linux-kernel should
probably be dropped from the reply there.
Dave
On Thu, 2008-09-11 at 17:34 +0200, Enrique Perez-Terron wrote:
Fedora core 9 stock kernel 2.6.25.108 i586
Udp bind() fails with EACCESS when selinux enforcing, but no audit
messages.
How to reproduce:
In startup scripts, configure rpc.statd to use the fixed port 34.
This port does not occur in /etc/services
(In /etc/sysconfig/nfs, STATD_PORT=34)
Write the following script, run it with bash -x.
#!/bin/bash
TESTDIR=/var/tmp/se-bind-test-$$
mkdir $TESTDIR # to hold about 50 files
cd $TESTDIR
# Stop NFS:
service nfs stop
service nfslock stop
# Gather some baseline data for easy comparison
echo 1 /selinux/enforce # just in case
dmesg > dmesg-enforc-before
wc /var/log/audit/audit.log > audit-enforc-before
# This fails
strace -o enforc -ff service nfslock start
# But no new messages in logs
dmesg > dmesg-enforc-after
wc /var/log/audit/audit.log > audit-enforc-after
# Try again in permissive mode
echo 0 /selinux/enforce
dmesg > dmesg-nonenf-before
wc /var/log/audit/audit.log > audit-nonenf-before
# Since this works, daemon starts, and strace hangs on
# Need sigkill; sigint does not work. Why?
(sleep 5; killall -9 strace) &
strace -o nonenf -ff service nfslock start
# Just for symmetry
dmesg > dmesg-nonenf-after
wc /var/log/audit/audit.log > audit-nonenf-after
# Check that there are no audits.
diff dmesg-enforc-before dmesg-enforc-after
diff audit-enforc-before audit-enforc-after
# There are several other calls to bind() that are not prevented
grep -E '^bind|^socket' enforc.*
grep -E '^bind|^socket' nonenf.*
Regards
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
1:20 p.m.
New subject: udp bind() fails with EACCESS when selinux enforcing, but no audit messages
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David P. Quigley wrote:
I'm pretty sure this doesn't have anything to do with the
kernel end but
is probably some sort of policy issue instead. I've CCed the
fedora-selinux list for an answer. The CC to linux-kernel should
probably be dropped from the reply there.
Dave
On Thu, 2008-09-11 at 17:34 +0200, Enrique Perez-Terron wrote:
> Fedora core 9 stock kernel 2.6.25.108 i586
>
> Udp bind() fails with EACCESS when selinux enforcing, but no audit
> messages.
>
> How to reproduce:
>
> In startup scripts, configure rpc.statd to use the fixed port 34.
> This port does not occur in /etc/services
> (In /etc/sysconfig/nfs, STATD_PORT=34)
>
> Write the following script, run it with bash -x.
>
> #!/bin/bash
>
> TESTDIR=/var/tmp/se-bind-test-$$
> mkdir $TESTDIR # to hold about 50 files
> cd $TESTDIR
>
> # Stop NFS:
> service nfs stop
> service nfslock stop
>
> # Gather some baseline data for easy comparison
> echo 1 /selinux/enforce # just in case
> dmesg > dmesg-enforc-before
> wc /var/log/audit/audit.log > audit-enforc-before
>
> # This fails
> strace -o enforc -ff service nfslock start
>
> # But no new messages in logs
> dmesg > dmesg-enforc-after
> wc /var/log/audit/audit.log > audit-enforc-after
>
> # Try again in permissive mode
> echo 0 /selinux/enforce
> dmesg > dmesg-nonenf-before
> wc /var/log/audit/audit.log > audit-nonenf-before
>
> # Since this works, daemon starts, and strace hangs on
> # Need sigkill; sigint does not work. Why?
> (sleep 5; killall -9 strace) &
> strace -o nonenf -ff service nfslock start
>
> # Just for symmetry
> dmesg > dmesg-nonenf-after
> wc /var/log/audit/audit.log > audit-nonenf-after
>
> # Check that there are no audits.
> diff dmesg-enforc-before dmesg-enforc-after
> diff audit-enforc-before audit-enforc-after
>
> # There are several other calls to bind() that are not prevented
> grep -E '^bind|^socket' enforc.*
> grep -E '^bind|^socket' nonenf.*
>
> Regards
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo(a)vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
semodule -DB
Will remove all dontaudit rules.
Then run your service script.
semodule -B
Will put them back.
You have yum -y upgrade selinux-policy\*
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjJYWYACgkQrlYvE4MpobMzAACfVTPibwI01dcnZAc+R8mB1bAE
XNMAn00pwIPWDJ8o5THRmPY4AHhbsmhS
=Jtrn
-----END PGP SIGNATURE-----
5705
days inactive
5705
days old
selinux@lists.fedoraproject.org
1 comments
2 participants
participants (2)
-
Daniel J Walsh -
David P. Quigley