From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Sebastian Pfaff <sebastian.pfaff@gmail.com>,
selinux@tycho.nsa.gov, James Morris <jmorris@namei.org>,
Eric Paris <eparis@parisplace.org>
Subject: Re: nc -l does not need permission name_bind to bind to a port!?
Date: Tue, 07 Apr 2009 10:33:34 -0400 [thread overview]
Message-ID: <49DB643E.4060907@redhat.com> (raw)
In-Reply-To: <1239107410.29028.10.camel@localhost.localdomain>
On 04/07/2009 08:30 AM, Stephen Smalley wrote:
> On Sun, 2009-04-05 at 20:34 +0200, Sebastian Pfaff wrote:
>> hello,
>>
>> i'm not sure about this: but afaik to bind a socket to a port the
>> name_bind is neccessary (please correct me, if this wrong).
>>
>> now try this:
>> ==========
>>
>> policy_module(NETCAT, 0.0.1)
>>
>> require { type unconfined_t; }
>>
>> role unconfined_r types nc_t ;
>>
>> type nc_t;
>> type nc_exec_t;
>>
>> application_domain(nc_t, nc_exec_t)
>> domain_auto_transition_pattern(unconfined_t, nc_exec_t, nc_t)
>> #EOF
>>
>> build load NETCAT.te:
>> ==================
>>
>> make -f /usr/share/selinux/devel/Makefile
>> sudo semodule -i NETCAT.pp
>>
>> then set domain nc_t permissive:
>> ==========================
>>
>> sudo semanage permissive -a nc_t
>>
>> (temporarily) change type of nc:
>> =========================
>>
>> sudo chcon -v -t nc_exec_t /usr/bin/nc
>>
>> and then start a netcat "server" :
>> =========================
>>
>> nc -l 44444
>>
>> here the verification that nc listens on 44444 for incoming connections:
>> =======================================================
>> [root@SecLab ~]# netstat -plntZ | grep 44444
>> tcp 0 0 127.0.0.1:44444
>> 0.0.0.0:* LISTEN 10279/nc
>> unconfined_u:unconfined_r:nc_t:s0
>>
>> now we check audit.log:
>> ===================
>>
>> [root@SecLab ~]# grep '^type=AVC' /var/log/audit/audit.log
>> type=AVC msg=audit(1238954202.516:257): avc: denied { read write }
>> for pid=10279 comm="nc" name="1" dev=devpts ino=3
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:object_r:unconfined_devpts_t:s0 tclass=chr_file
>> type=AVC msg=audit(1238954202.518:258): avc: denied { read } for
>> pid=10279 comm="nc" name="ld.so.cache" dev=sda1 ino=34611
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.518:259): avc: denied { getattr } for
>> pid=10279 comm="nc" path="/etc/ld.so.cache" dev=sda1 ino=34611
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.518:260): avc: denied { read } for
>> pid=10279 comm="nc" name="libglib-2.0.so.0" dev=sda1 ino=229602
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:lib_t:s0 tclass=lnk_file
>> type=AVC msg=audit(1238954202.518:260): avc: denied { read } for
>> pid=10279 comm="nc" name="libglib-2.0.so.0.1800.4" dev=sda1 ino=229574
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:lib_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.519:261): avc: denied { getattr } for
>> pid=10279 comm="nc" path="/lib/libglib-2.0.so.0.1800.4" dev=sda1
>> ino=229574 scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:lib_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.519:262): avc: denied { execute } for
>> pid=10279 comm="nc" path="/lib/libglib-2.0.so.0.1800.4" dev=sda1
>> ino=229574 scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:lib_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.519:263): avc: denied { read } for
>> pid=10279 comm="nc" path="/lib/ld-2.9.so" dev=sda1 ino=229558
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:ld_so_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.520:264): avc: denied { create } for
>> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
>> type=AVC msg=audit(1238954202.520:265): avc: denied { bind } for
>> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
>> type=AVC msg=audit(1238954202.520:266): avc: denied { getattr } for
>> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
>> type=AVC msg=audit(1238954202.520:267): avc: denied { write } for
>> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
>> type=AVC msg=audit(1238954202.520:267): avc: denied { nlmsg_read }
>> for pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
>> type=AVC msg=audit(1238954202.520:268): avc: denied { read } for
>> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
>> type=AVC msg=audit(1238954202.533:269): avc: denied { read } for
>> pid=10279 comm="nc" name="nsswitch.conf" dev=sda1 ino=32805
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.533:270): avc: denied { getattr } for
>> pid=10279 comm="nc" path="/etc/nsswitch.conf" dev=sda1 ino=32805
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.534:271): avc: denied { read } for
>> pid=10279 comm="nc" name="resolv.conf" dev=sda1 ino=34021
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:net_conf_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.534:272): avc: denied { getattr } for
>> pid=10279 comm="nc" path="/etc/resolv.conf" dev=sda1 ino=34021
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:net_conf_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.535:273): avc: denied { create } for
>> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
>> type=AVC msg=audit(1238954202.535:274): avc: denied { setopt } for
>> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
>> type=AVC msg=audit(1238954202.535:275): avc: denied { bind } for
>> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
>> type=AVC msg=audit(1238954202.535:275): avc: denied { node_bind }
>> for pid=10279 comm="nc" saddr=127.0.0.1 src=44444
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:lo_node_t:s0 tclass=tcp_socket
>> type=AVC msg=audit(1238954202.535:276): avc: denied { listen } for
>> pid=10279 comm="nc" laddr=127.0.0.1 lport=44444
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
>> type=AVC msg=audit(1238954202.535:277): avc: denied { accept } for
>> pid=10279 comm="nc" laddr=127.0.0.1 lport=44444
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
>>
>> As everybody can see, there is no name_bind permission. why is this
>> so? I always thought, that name_bind is necessary to bind a port. An
>> entry from dan's blog teached me, that name_bind is always(?) needed.
>> I'm relatively new to selinux, so i'm not sure about this. Hope
>> someone can help me.
>>
>> I'm using fedora 10. Btw: sesearch --allow -s nc_t | grep name_bind
>> finds nothing. if you need additional info, please let me know.
>
> name_bind is not checked when the port falls within the local port range
> (cat /proc/sys/net/ipv4/ip_local_port_range), since ports in that range
> are used for auto-binding of unbound sockets and thus aren't truly
> controllable (unless we were to further modify the kernel to apply a
> check when scanning that port range for auto-binding and to skip port
> numbers in that range on a denial). name_bind was primarily intended to
> control the ability to bind to well known ports to prevent spoofing of a
> given service by another process.
>
I think this is a mistake. I think we should prevent name_bind of any
service, to ensure a user is not running malicious software in his
homedirectory that is listening on a port. Obviously we are blocking
via firewall high level ports but we block the first 32000 ports now and
it makes no logical sense to not block all.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-04-07 14:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-05 18:34 nc -l does not need permission name_bind to bind to a port!? Sebastian Pfaff
2009-04-07 12:30 ` Stephen Smalley
2009-04-07 14:33 ` Daniel J Walsh [this message]
2009-04-07 16:38 ` Stephen Smalley
2009-04-07 16:57 ` Sebastian Pfaff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49DB643E.4060907@redhat.com \
--to=dwalsh@redhat.com \
--cc=eparis@parisplace.org \
--cc=jmorris@namei.org \
--cc=sds@tycho.nsa.gov \
--cc=sebastian.pfaff@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.