racoon got dead due to permission lacking

All of lore.kernel.org
 help / color / mirror / Atom feed

* racoon got dead due to permission lacking
@ 2008-01-25  5:24 Kohei KaiGai
  2008-01-25 19:17 ` Stephen Smalley
  0 siblings, 1 reply; 5+ messages in thread
From: Kohei KaiGai @ 2008-01-25  5:24 UTC (permalink / raw)
  To: dwalsh; +Cc: cpebenito, selinux

[-- Attachment #1: Type: text/plain, Size: 1901 bytes --]

When I tested labeled ipsec, racoon got dead with the following messages:
(I added some line break for reader's confortable)

| type=AVC msg=audit(1201052881.758:783): avc:  denied  { read }
|   for  pid=26854 comm="racoon" name="net" dev=proc ino=4026531867
|   scontext=root:system_r:racoon_t:s0
|   tcontext=system_u:object_r:proc_t:s0 tclass=dir
| type=AVC msg=audit(1201052881.758:784): avc:  denied  { read }
|   for  pid=26854 comm="racoon" name="unix" dev=proc ino=4026532018
|   scontext=root:system_r:racoon_t:s0
|   tcontext=system_u:object_r:proc_t:s0 tclass=file
| type=AVC msg=audit(1201052881.758:785): avc:  denied  { node_bind }
|   for  pid=26854 comm="racoon" saddr=127.0.0.1 src=500
|   scontext=root:system_r:racoon_t:s0
|   tcontext=system_u:object_r:lo_node_t:s0 tclass=udp_socket
| type=AVC msg=audit(1201052881.759:786): avc:  denied  { node_bind }
|   for  pid=26854 comm="racoon" saddr=10.19.71.81 src=500
|   scontext=root:system_r:racoon_t:s0
|   tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
| type=AVC msg=audit(1201052881.759:787): avc:  denied  { node_bind }
|   for  pid=26854 comm="racoon" saddr=0000:0000:0000:0000:0000:0000:0000:0001 src=500
|   scontext=root:system_r:racoon_t:s0
|   tcontext=system_u:object_r:compat_ipv4_node_t:s0 tclass=udp_socket
| type=AVC msg=audit(1201052881.759:788): avc:  denied  { node_bind }
|   for  pid=26854 comm="racoon" saddr=fe80:0000:0000:0000:0211:09ff:fe34:68e0 src=500
|   scontext=root:system_r:racoon_t:s0
|   tcontext=system_u:object_r:link_local_node_t:s0 tclass=udp_socket

selinux-policy-3.2.5-15.fc9 and ipsec-tools-0.7-8.fc9 are installed.
It seems to me that racoon tries to read /proc/net/unix, and bind adresses
on udp socket.

The attached patch grant those permissions, and it killed this matter.
Please apply it.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

[-- Attachment #2: serefpolicy-ipsec-racoon-fixed.patch --]
[-- Type: text/x-patch, Size: 514 bytes --]

--- serefpolicy-3.2.5/policy/modules/system/ipsec.te	2007-12-19 19:37:28.000000000 +0900
+++ serefpolicy-3.2.5.fixed/policy/modules/system/ipsec.te	2008-01-25 11:57:06.000000000 +0900
@@ -301,8 +301,12 @@
 
 corenet_all_recvfrom_unlabeled(racoon_t)
 corenet_tcp_bind_all_nodes(racoon_t)
+corenet_udp_bind_all_nodes(racoon_t)
 corenet_udp_bind_isakmp_port(racoon_t)
 
+# /proc/net/...
+read_files_pattern(racoon_t,proc_t,proc_t)
+
 dev_read_urand(racoon_t)
 
 # allow racoon to set contexts on ipsec policy and SAs

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: racoon got dead due to permission lacking
  2008-01-25  5:24 racoon got dead due to permission lacking Kohei KaiGai
@ 2008-01-25 19:17 ` Stephen Smalley
  2008-01-28 12:32   ` Stephen Smalley
  0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2008-01-25 19:17 UTC (permalink / raw)
  To: Kohei KaiGai; +Cc: dwalsh, cpebenito, selinux


On Fri, 2008-01-25 at 14:24 +0900, Kohei KaiGai wrote:
> When I tested labeled ipsec, racoon got dead with the following messages:
> (I added some line break for reader's confortable)
> 
> | type=AVC msg=audit(1201052881.758:783): avc:  denied  { read }
> |   for  pid=26854 comm="racoon" name="net" dev=proc ino=4026531867
> |   scontext=root:system_r:racoon_t:s0
> |   tcontext=system_u:object_r:proc_t:s0 tclass=dir

That one is a kernel bug (in 2.6.24).  Should have a fix soon - patch is
being reviewed.

> | type=AVC msg=audit(1201052881.758:784): avc:  denied  { read }
> |   for  pid=26854 comm="racoon" name="unix" dev=proc ino=4026532018
> |   scontext=root:system_r:racoon_t:s0
> |   tcontext=system_u:object_r:proc_t:s0 tclass=file
> | type=AVC msg=audit(1201052881.758:785): avc:  denied  { node_bind }
> |   for  pid=26854 comm="racoon" saddr=127.0.0.1 src=500
> |   scontext=root:system_r:racoon_t:s0
> |   tcontext=system_u:object_r:lo_node_t:s0 tclass=udp_socket
> | type=AVC msg=audit(1201052881.759:786): avc:  denied  { node_bind }
> |   for  pid=26854 comm="racoon" saddr=10.19.71.81 src=500
> |   scontext=root:system_r:racoon_t:s0
> |   tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
> | type=AVC msg=audit(1201052881.759:787): avc:  denied  { node_bind }
> |   for  pid=26854 comm="racoon" saddr=0000:0000:0000:0000:0000:0000:0000:0001 src=500
> |   scontext=root:system_r:racoon_t:s0
> |   tcontext=system_u:object_r:compat_ipv4_node_t:s0 tclass=udp_socket
> | type=AVC msg=audit(1201052881.759:788): avc:  denied  { node_bind }
> |   for  pid=26854 comm="racoon" saddr=fe80:0000:0000:0000:0211:09ff:fe34:68e0 src=500
> |   scontext=root:system_r:racoon_t:s0
> |   tcontext=system_u:object_r:link_local_node_t:s0 tclass=udp_socket
> 
> selinux-policy-3.2.5-15.fc9 and ipsec-tools-0.7-8.fc9 are installed.
> It seems to me that racoon tries to read /proc/net/unix, and bind adresses
> on udp socket.
> 
> The attached patch grant those permissions, and it killed this matter.
> Please apply it.
> 
> Thanks,
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: racoon got dead due to permission lacking
  2008-01-25 19:17 ` Stephen Smalley
@ 2008-01-28 12:32   ` Stephen Smalley
  2008-01-28 15:22     ` Paul Moore
  0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2008-01-28 12:32 UTC (permalink / raw)
  To: Kohei KaiGai; +Cc: dwalsh, cpebenito, selinux


On Fri, 2008-01-25 at 14:17 -0500, Stephen Smalley wrote:
> On Fri, 2008-01-25 at 14:24 +0900, Kohei KaiGai wrote:
> > When I tested labeled ipsec, racoon got dead with the following messages:
> > (I added some line break for reader's confortable)
> > 
> > | type=AVC msg=audit(1201052881.758:783): avc:  denied  { read }
> > |   for  pid=26854 comm="racoon" name="net" dev=proc ino=4026531867
> > |   scontext=root:system_r:racoon_t:s0
> > |   tcontext=system_u:object_r:proc_t:s0 tclass=dir
> 
> That one is a kernel bug (in 2.6.24).  Should have a fix soon - patch is
> being reviewed.

Fix upstreamed,
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b1aa5301b9f88a4891061650c591fb8fe1c1


> > | type=AVC msg=audit(1201052881.758:784): avc:  denied  { read }
> > |   for  pid=26854 comm="racoon" name="unix" dev=proc ino=4026532018
> > |   scontext=root:system_r:racoon_t:s0
> > |   tcontext=system_u:object_r:proc_t:s0 tclass=file
> > | type=AVC msg=audit(1201052881.758:785): avc:  denied  { node_bind }
> > |   for  pid=26854 comm="racoon" saddr=127.0.0.1 src=500
> > |   scontext=root:system_r:racoon_t:s0
> > |   tcontext=system_u:object_r:lo_node_t:s0 tclass=udp_socket
> > | type=AVC msg=audit(1201052881.759:786): avc:  denied  { node_bind }
> > |   for  pid=26854 comm="racoon" saddr=10.19.71.81 src=500
> > |   scontext=root:system_r:racoon_t:s0
> > |   tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
> > | type=AVC msg=audit(1201052881.759:787): avc:  denied  { node_bind }
> > |   for  pid=26854 comm="racoon" saddr=0000:0000:0000:0000:0000:0000:0000:0001 src=500
> > |   scontext=root:system_r:racoon_t:s0
> > |   tcontext=system_u:object_r:compat_ipv4_node_t:s0 tclass=udp_socket
> > | type=AVC msg=audit(1201052881.759:788): avc:  denied  { node_bind }
> > |   for  pid=26854 comm="racoon" saddr=fe80:0000:0000:0000:0211:09ff:fe34:68e0 src=500
> > |   scontext=root:system_r:racoon_t:s0
> > |   tcontext=system_u:object_r:link_local_node_t:s0 tclass=udp_socket
> > 
> > selinux-policy-3.2.5-15.fc9 and ipsec-tools-0.7-8.fc9 are installed.
> > It seems to me that racoon tries to read /proc/net/unix, and bind adresses
> > on udp socket.
> > 
> > The attached patch grant those permissions, and it killed this matter.
> > Please apply it.
> > 
> > Thanks,
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: racoon got dead due to permission lacking
  2008-01-28 12:32   ` Stephen Smalley
@ 2008-01-28 15:22     ` Paul Moore
  2008-01-28 15:35       ` Stephen Smalley
  0 siblings, 1 reply; 5+ messages in thread
From: Paul Moore @ 2008-01-28 15:22 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: Kohei KaiGai, dwalsh, cpebenito, selinux

On Monday 28 January 2008 7:32:30 am Stephen Smalley wrote:
> On Fri, 2008-01-25 at 14:17 -0500, Stephen Smalley wrote:
> > On Fri, 2008-01-25 at 14:24 +0900, Kohei KaiGai wrote:
> > > When I tested labeled ipsec, racoon got dead with the following
> > > messages: (I added some line break for reader's confortable)
> > >
> > > | type=AVC msg=audit(1201052881.758:783): avc:  denied  { read }
> > > |   for  pid=26854 comm="racoon" name="net" dev=proc
> > > | ino=4026531867 scontext=root:system_r:racoon_t:s0
> > > |   tcontext=system_u:object_r:proc_t:s0 tclass=dir
> >
> > That one is a kernel bug (in 2.6.24).  Should have a fix soon -
> > patch is being reviewed.
>
> Fix upstreamed,
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=co
>mmit;h=b1aa5301b9f88a4891061650c591fb8fe1c1

This got pushed to -stable too, right?

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: racoon got dead due to permission lacking
  2008-01-28 15:22     ` Paul Moore
@ 2008-01-28 15:35       ` Stephen Smalley
  0 siblings, 0 replies; 5+ messages in thread
From: Stephen Smalley @ 2008-01-28 15:35 UTC (permalink / raw)
  To: Paul Moore; +Cc: Kohei KaiGai, dwalsh, cpebenito, selinux


On Mon, 2008-01-28 at 10:22 -0500, Paul Moore wrote:
> On Monday 28 January 2008 7:32:30 am Stephen Smalley wrote:
> > On Fri, 2008-01-25 at 14:17 -0500, Stephen Smalley wrote:
> > > On Fri, 2008-01-25 at 14:24 +0900, Kohei KaiGai wrote:
> > > > When I tested labeled ipsec, racoon got dead with the following
> > > > messages: (I added some line break for reader's confortable)
> > > >
> > > > | type=AVC msg=audit(1201052881.758:783): avc:  denied  { read }
> > > > |   for  pid=26854 comm="racoon" name="net" dev=proc
> > > > | ino=4026531867 scontext=root:system_r:racoon_t:s0
> > > > |   tcontext=system_u:object_r:proc_t:s0 tclass=dir
> > >
> > > That one is a kernel bug (in 2.6.24).  Should have a fix soon -
> > > patch is being reviewed.
> >
> > Fix upstreamed,
> > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=co
> >mmit;h=b1aa5301b9f88a4891061650c591fb8fe1c1
> 
> This got pushed to -stable too, right?

James cc'd them on the git pull request.  Haven't seen a reply yet.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2008-01-28 15:35 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-01-25  5:24 racoon got dead due to permission lacking Kohei KaiGai
2008-01-25 19:17 ` Stephen Smalley
2008-01-28 12:32   ` Stephen Smalley
2008-01-28 15:22     ` Paul Moore
2008-01-28 15:35       ` Stephen Smalley

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.