Hello,
in our software (Foreman) we use DNS resolver provided by Ruby runtime. This is some kind of optimized thread-safe resolver which ships with the Ruby platform.
The problem I am facing is that this implementation randomly binds UDP port when DNS request is sent. Here is the code bit:
https://github.com/ruby/ruby/blob/trunk/lib/resolv.rb#L651-L660
This is there from Ruby 1.8.7 until now (trunk) as far as I can tell.
Since any Ruby application can leverage this API and expect the same behavior, I'd like to ask if you encounter such an error in Fedora and how do you recommend to solve this.
Have you experienced this kind of behavior with non-Ruby DNS clients?
Is it safe to allow UDP binds for all unprivileged ports?
How to do this technically in my policy?
Thanks.
Is it safe to allow UDP binds for all unprivileged ports?
One interesting fact. On RHEL6 this is non-fatal for our application (it somehow resolves and carries on):
time->Mon Nov 3 04:26:06 2014 type=SYSCALL msg=audit(1415006766.148:417): arch=c000003e syscall=49 success=yes exit=0 a0=10 a1=7fef24905c40 a2=10 a3=40 items=0 ppid=2492 pid=2636 auid=4294967295 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1415006766.148:417): avc: denied { name_bind } for pid=2636 comm="ruby" src=5421 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
On Fedora 19/RHEL7 this is fatal error (backtrace with a port bind error):
time->Mon Nov 3 04:15:14 2014 type=SYSCALL msg=audit(1415006114.607:819): arch=c000003e syscall=49 success=yes exit=0 a0=10 a1=7f9615448ec0 a2=10 a3=0 items=0 ppid=1 pid=31178 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1415006114.607:819): avc: denied { name_bind } for pid=31178 comm="ruby" src=29817 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket
We do use Ruby 1.9.3 in all cases from Software Collections.
I see a difference in the target type: port_t vs unreserved_port_t. I tried multiple times with the same result.
On 11/03/2014 10:34 AM, Lukas Zapletal wrote:
Is it safe to allow UDP binds for all unprivileged ports?
One interesting fact. On RHEL6 this is non-fatal for our application (it somehow resolves and carries on):
time->Mon Nov 3 04:26:06 2014 type=SYSCALL msg=audit(1415006766.148:417): arch=c000003e syscall=49 success=yes exit=0 a0=10 a1=7fef24905c40 a2=10 a3=40 items=0 ppid=2492 pid=2636 auid=4294967295 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1415006766.148:417): avc: denied { name_bind } for pid=2636 comm="ruby" src=5421 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
On Fedora 19/RHEL7 this is fatal error (backtrace with a port bind error):
time->Mon Nov 3 04:15:14 2014 type=SYSCALL msg=audit(1415006114.607:819): arch=c000003e syscall=49 success=yes exit=0 a0=10 a1=7f9615448ec0 a2=10 a3=0 items=0 ppid=1 pid=31178 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1415006114.607:819): avc: denied { name_bind } for pid=31178 comm="ruby" src=29817 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket
We do use Ruby 1.9.3 in all cases from Software Collections.
I see a difference in the target type: port_t vs unreserved_port_t. I tried multiple times with the same result.
Yes, this is a change in RHEL7. Basically you will need to allow it as we do it rpc_domain, puppetmaster_t, vpnc_t ...
corenet_udp_bind_generic_port()
corenet_udp_bind_generic_port()
For the record, the reason the randomization is a weakness in DNS protocol:
http://linuxsysadminblog.com/2008/12/how-to-check-if-your-dns-server-impleme...
or
https://www.dns-oarc.net/oarc/services/porttest
In the core policy, I see djbdns having the very same macro. Surprisingly, bind does not have it (or I missed it).
selinux@lists.fedoraproject.org