nc -l does not need permission name_bind to bind to a port!?

nc -l does not need permission name_bind to bind to a port!?

[Sebastian Pfaff]

hello,

i'm not sure about this: but afaik  to bind a socket to a port the  
name_bind is neccessary (please correct me, if this wrong).

now try this:
==========

policy_module(NETCAT, 0.0.1)

require { type unconfined_t; }

role unconfined_r types nc_t ;

type nc_t;
type nc_exec_t;

application_domain(nc_t, nc_exec_t)
domain_auto_transition_pattern(unconfined_t, nc_exec_t, nc_t)
#EOF

build load NETCAT.te:
==================

make -f /usr/share/selinux/devel/Makefile
sudo semodule -i NETCAT.pp

then set domain nc_t permissive:
==========================

sudo semanage permissive -a nc_t

(temporarily) change type of nc:
=========================

sudo chcon -v -t nc_exec_t  /usr/bin/nc

and then start a netcat "server" :
=========================

nc -l 44444

here the verification that nc listens on 44444 for incoming connections:
=======================================================
[root@SecLab ~]# netstat -plntZ | grep 44444
tcp        0      0 127.0.0.1:44444              
0.0.0.0:*                   LISTEN      10279/nc             
unconfined_u:unconfined_r:nc_t:s0

now we check audit.log:
===================

[root@SecLab ~]# grep '^type=AVC' /var/log/audit/audit.log
type=AVC msg=audit(1238954202.516:257): avc:  denied  { read write }  
for  pid=10279 comm="nc" name="1" dev=devpts ino=3  
scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=unconfined_u:object_r:unconfined_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1238954202.518:258): avc:  denied  { read } for   
pid=10279 comm="nc" name="ld.so.cache" dev=sda1 ino=34611  
scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=file
type=AVC msg=audit(1238954202.518:259): avc:  denied  { getattr } for   
pid=10279 comm="nc" path="/etc/ld.so.cache" dev=sda1 ino=34611  
scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=file
type=AVC msg=audit(1238954202.518:260): avc:  denied  { read } for   
pid=10279 comm="nc" name="libglib-2.0.so.0" dev=sda1 ino=229602  
scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=system_u:object_r:lib_t:s0 tclass=lnk_file
type=AVC msg=audit(1238954202.518:260): avc:  denied  { read } for   
pid=10279 comm="nc" name="libglib-2.0.so.0.1800.4" dev=sda1 ino=229574  
scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=system_u:object_r:lib_t:s0 tclass=file
type=AVC msg=audit(1238954202.519:261): avc:  denied  { getattr } for   
pid=10279 comm="nc" path="/lib/libglib-2.0.so.0.1800.4" dev=sda1  
ino=229574 scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=system_u:object_r:lib_t:s0 tclass=file
type=AVC msg=audit(1238954202.519:262): avc:  denied  { execute } for   
pid=10279 comm="nc" path="/lib/libglib-2.0.so.0.1800.4" dev=sda1  
ino=229574 scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=system_u:object_r:lib_t:s0 tclass=file
type=AVC msg=audit(1238954202.519:263): avc:  denied  { read } for   
pid=10279 comm="nc" path="/lib/ld-2.9.so" dev=sda1 ino=229558  
scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=system_u:object_r:ld_so_t:s0 tclass=file
type=AVC msg=audit(1238954202.520:264): avc:  denied  { create } for   
pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1238954202.520:265): avc:  denied  { bind } for   
pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1238954202.520:266): avc:  denied  { getattr } for   
pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1238954202.520:267): avc:  denied  { write } for   
pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1238954202.520:267): avc:  denied  { nlmsg_read }  
for  pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1238954202.520:268): avc:  denied  { read } for   
pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1238954202.533:269): avc:  denied  { read } for   
pid=10279 comm="nc" name="nsswitch.conf" dev=sda1 ino=32805  
scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1238954202.533:270): avc:  denied  { getattr } for   
pid=10279 comm="nc" path="/etc/nsswitch.conf" dev=sda1 ino=32805  
scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1238954202.534:271): avc:  denied  { read } for   
pid=10279 comm="nc" name="resolv.conf" dev=sda1 ino=34021  
scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1238954202.534:272): avc:  denied  { getattr } for   
pid=10279 comm="nc" path="/etc/resolv.conf" dev=sda1 ino=34021  
scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1238954202.535:273): avc:  denied  { create } for   
pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1238954202.535:274): avc:  denied  { setopt } for   
pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1238954202.535:275): avc:  denied  { bind } for   
pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1238954202.535:275): avc:  denied  { node_bind }  
for  pid=10279 comm="nc" saddr=127.0.0.1 src=44444  
scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=system_u:object_r:lo_node_t:s0 tclass=tcp_socket
type=AVC msg=audit(1238954202.535:276): avc:  denied  { listen } for   
pid=10279 comm="nc" laddr=127.0.0.1 lport=44444  
scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1238954202.535:277): avc:  denied  { accept } for   
pid=10279 comm="nc" laddr=127.0.0.1 lport=44444  
scontext=unconfined_u:unconfined_r:nc_t:s0  
tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket

As everybody can see, there is no name_bind permission. why is this  
so? I always thought, that name_bind is necessary to bind a  port. An  
entry from dan's blog teached me,  that name_bind is always(?) needed.  
I'm relatively new to selinux, so i'm not sure about this. Hope  
someone can help me.

I'm using fedora 10. Btw: sesearch --allow -s nc_t | grep name_bind  
finds nothing. if you need additional info, please let me know.


tnx in advance

--
Sebastian Pfaff





--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: nc -l does not need permission name_bind to bind to a port!?

[Stephen Smalley]

On Sun, 2009-04-05 at 20:34 +0200, Sebastian Pfaff wrote:
> hello,
> 
> i'm not sure about this: but afaik  to bind a socket to a port the  
> name_bind is neccessary (please correct me, if this wrong).
> 
> now try this:
> ==========
> 
> policy_module(NETCAT, 0.0.1)
> 
> require { type unconfined_t; }
> 
> role unconfined_r types nc_t ;
> 
> type nc_t;
> type nc_exec_t;
> 
> application_domain(nc_t, nc_exec_t)
> domain_auto_transition_pattern(unconfined_t, nc_exec_t, nc_t)
> #EOF
> 
> build load NETCAT.te:
> ==================
> 
> make -f /usr/share/selinux/devel/Makefile
> sudo semodule -i NETCAT.pp
> 
> then set domain nc_t permissive:
> ==========================
> 
> sudo semanage permissive -a nc_t
> 
> (temporarily) change type of nc:
> =========================
> 
> sudo chcon -v -t nc_exec_t  /usr/bin/nc
> 
> and then start a netcat "server" :
> =========================
> 
> nc -l 44444
> 
> here the verification that nc listens on 44444 for incoming connections:
> =======================================================
> [root@SecLab ~]# netstat -plntZ | grep 44444
> tcp        0      0 127.0.0.1:44444              
> 0.0.0.0:*                   LISTEN      10279/nc             
> unconfined_u:unconfined_r:nc_t:s0
> 
> now we check audit.log:
> ===================
> 
> [root@SecLab ~]# grep '^type=AVC' /var/log/audit/audit.log
> type=AVC msg=audit(1238954202.516:257): avc:  denied  { read write }  
> for  pid=10279 comm="nc" name="1" dev=devpts ino=3  
> scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=unconfined_u:object_r:unconfined_devpts_t:s0 tclass=chr_file
> type=AVC msg=audit(1238954202.518:258): avc:  denied  { read } for   
> pid=10279 comm="nc" name="ld.so.cache" dev=sda1 ino=34611  
> scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=file
> type=AVC msg=audit(1238954202.518:259): avc:  denied  { getattr } for   
> pid=10279 comm="nc" path="/etc/ld.so.cache" dev=sda1 ino=34611  
> scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=file
> type=AVC msg=audit(1238954202.518:260): avc:  denied  { read } for   
> pid=10279 comm="nc" name="libglib-2.0.so.0" dev=sda1 ino=229602  
> scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=system_u:object_r:lib_t:s0 tclass=lnk_file
> type=AVC msg=audit(1238954202.518:260): avc:  denied  { read } for   
> pid=10279 comm="nc" name="libglib-2.0.so.0.1800.4" dev=sda1 ino=229574  
> scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> type=AVC msg=audit(1238954202.519:261): avc:  denied  { getattr } for   
> pid=10279 comm="nc" path="/lib/libglib-2.0.so.0.1800.4" dev=sda1  
> ino=229574 scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> type=AVC msg=audit(1238954202.519:262): avc:  denied  { execute } for   
> pid=10279 comm="nc" path="/lib/libglib-2.0.so.0.1800.4" dev=sda1  
> ino=229574 scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> type=AVC msg=audit(1238954202.519:263): avc:  denied  { read } for   
> pid=10279 comm="nc" path="/lib/ld-2.9.so" dev=sda1 ino=229558  
> scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=system_u:object_r:ld_so_t:s0 tclass=file
> type=AVC msg=audit(1238954202.520:264): avc:  denied  { create } for   
> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
> type=AVC msg=audit(1238954202.520:265): avc:  denied  { bind } for   
> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
> type=AVC msg=audit(1238954202.520:266): avc:  denied  { getattr } for   
> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
> type=AVC msg=audit(1238954202.520:267): avc:  denied  { write } for   
> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
> type=AVC msg=audit(1238954202.520:267): avc:  denied  { nlmsg_read }  
> for  pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
> type=AVC msg=audit(1238954202.520:268): avc:  denied  { read } for   
> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
> type=AVC msg=audit(1238954202.533:269): avc:  denied  { read } for   
> pid=10279 comm="nc" name="nsswitch.conf" dev=sda1 ino=32805  
> scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=system_u:object_r:etc_t:s0 tclass=file
> type=AVC msg=audit(1238954202.533:270): avc:  denied  { getattr } for   
> pid=10279 comm="nc" path="/etc/nsswitch.conf" dev=sda1 ino=32805  
> scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=system_u:object_r:etc_t:s0 tclass=file
> type=AVC msg=audit(1238954202.534:271): avc:  denied  { read } for   
> pid=10279 comm="nc" name="resolv.conf" dev=sda1 ino=34021  
> scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=system_u:object_r:net_conf_t:s0 tclass=file
> type=AVC msg=audit(1238954202.534:272): avc:  denied  { getattr } for   
> pid=10279 comm="nc" path="/etc/resolv.conf" dev=sda1 ino=34021  
> scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=system_u:object_r:net_conf_t:s0 tclass=file
> type=AVC msg=audit(1238954202.535:273): avc:  denied  { create } for   
> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1238954202.535:274): avc:  denied  { setopt } for   
> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1238954202.535:275): avc:  denied  { bind } for   
> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1238954202.535:275): avc:  denied  { node_bind }  
> for  pid=10279 comm="nc" saddr=127.0.0.1 src=44444  
> scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=system_u:object_r:lo_node_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1238954202.535:276): avc:  denied  { listen } for   
> pid=10279 comm="nc" laddr=127.0.0.1 lport=44444  
> scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1238954202.535:277): avc:  denied  { accept } for   
> pid=10279 comm="nc" laddr=127.0.0.1 lport=44444  
> scontext=unconfined_u:unconfined_r:nc_t:s0  
> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
> 
> As everybody can see, there is no name_bind permission. why is this  
> so? I always thought, that name_bind is necessary to bind a  port. An  
> entry from dan's blog teached me,  that name_bind is always(?) needed.  
> I'm relatively new to selinux, so i'm not sure about this. Hope  
> someone can help me.
> 
> I'm using fedora 10. Btw: sesearch --allow -s nc_t | grep name_bind  
> finds nothing. if you need additional info, please let me know.

name_bind is not checked when the port falls within the local port range
(cat /proc/sys/net/ipv4/ip_local_port_range), since ports in that range
are used for auto-binding of unbound sockets and thus aren't truly
controllable (unless we were to further modify the kernel to apply a
check when scanning that port range for auto-binding and to skip port
numbers in that range on a denial).  name_bind was primarily intended to
control the ability to bind to well known ports to prevent spoofing of a
given service by another process.  
 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: nc -l does not need permission name_bind to bind to a port!?

[Daniel J Walsh]

On 04/07/2009 08:30 AM, Stephen Smalley wrote:
> On Sun, 2009-04-05 at 20:34 +0200, Sebastian Pfaff wrote:
>> hello,
>>
>> i'm not sure about this: but afaik  to bind a socket to a port the
>> name_bind is neccessary (please correct me, if this wrong).
>>
>> now try this:
>> ==========
>>
>> policy_module(NETCAT, 0.0.1)
>>
>> require { type unconfined_t; }
>>
>> role unconfined_r types nc_t ;
>>
>> type nc_t;
>> type nc_exec_t;
>>
>> application_domain(nc_t, nc_exec_t)
>> domain_auto_transition_pattern(unconfined_t, nc_exec_t, nc_t)
>> #EOF
>>
>> build load NETCAT.te:
>> ==================
>>
>> make -f /usr/share/selinux/devel/Makefile
>> sudo semodule -i NETCAT.pp
>>
>> then set domain nc_t permissive:
>> ==========================
>>
>> sudo semanage permissive -a nc_t
>>
>> (temporarily) change type of nc:
>> =========================
>>
>> sudo chcon -v -t nc_exec_t  /usr/bin/nc
>>
>> and then start a netcat "server" :
>> =========================
>>
>> nc -l 44444
>>
>> here the verification that nc listens on 44444 for incoming connections:
>> =======================================================
>> [root@SecLab ~]# netstat -plntZ | grep 44444
>> tcp        0      0 127.0.0.1:44444
>> 0.0.0.0:*                   LISTEN      10279/nc
>> unconfined_u:unconfined_r:nc_t:s0
>>
>> now we check audit.log:
>> ===================
>>
>> [root@SecLab ~]# grep '^type=AVC' /var/log/audit/audit.log
>> type=AVC msg=audit(1238954202.516:257): avc:  denied  { read write }
>> for  pid=10279 comm="nc" name="1" dev=devpts ino=3
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:object_r:unconfined_devpts_t:s0 tclass=chr_file
>> type=AVC msg=audit(1238954202.518:258): avc:  denied  { read } for
>> pid=10279 comm="nc" name="ld.so.cache" dev=sda1 ino=34611
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.518:259): avc:  denied  { getattr } for
>> pid=10279 comm="nc" path="/etc/ld.so.cache" dev=sda1 ino=34611
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.518:260): avc:  denied  { read } for
>> pid=10279 comm="nc" name="libglib-2.0.so.0" dev=sda1 ino=229602
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:lib_t:s0 tclass=lnk_file
>> type=AVC msg=audit(1238954202.518:260): avc:  denied  { read } for
>> pid=10279 comm="nc" name="libglib-2.0.so.0.1800.4" dev=sda1 ino=229574
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:lib_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.519:261): avc:  denied  { getattr } for
>> pid=10279 comm="nc" path="/lib/libglib-2.0.so.0.1800.4" dev=sda1
>> ino=229574 scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:lib_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.519:262): avc:  denied  { execute } for
>> pid=10279 comm="nc" path="/lib/libglib-2.0.so.0.1800.4" dev=sda1
>> ino=229574 scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:lib_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.519:263): avc:  denied  { read } for
>> pid=10279 comm="nc" path="/lib/ld-2.9.so" dev=sda1 ino=229558
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:ld_so_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.520:264): avc:  denied  { create } for
>> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
>> type=AVC msg=audit(1238954202.520:265): avc:  denied  { bind } for
>> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
>> type=AVC msg=audit(1238954202.520:266): avc:  denied  { getattr } for
>> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
>> type=AVC msg=audit(1238954202.520:267): avc:  denied  { write } for
>> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
>> type=AVC msg=audit(1238954202.520:267): avc:  denied  { nlmsg_read }
>> for  pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
>> type=AVC msg=audit(1238954202.520:268): avc:  denied  { read } for
>> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
>> type=AVC msg=audit(1238954202.533:269): avc:  denied  { read } for
>> pid=10279 comm="nc" name="nsswitch.conf" dev=sda1 ino=32805
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.533:270): avc:  denied  { getattr } for
>> pid=10279 comm="nc" path="/etc/nsswitch.conf" dev=sda1 ino=32805
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.534:271): avc:  denied  { read } for
>> pid=10279 comm="nc" name="resolv.conf" dev=sda1 ino=34021
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:net_conf_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.534:272): avc:  denied  { getattr } for
>> pid=10279 comm="nc" path="/etc/resolv.conf" dev=sda1 ino=34021
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:net_conf_t:s0 tclass=file
>> type=AVC msg=audit(1238954202.535:273): avc:  denied  { create } for
>> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
>> type=AVC msg=audit(1238954202.535:274): avc:  denied  { setopt } for
>> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
>> type=AVC msg=audit(1238954202.535:275): avc:  denied  { bind } for
>> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
>> type=AVC msg=audit(1238954202.535:275): avc:  denied  { node_bind }
>> for  pid=10279 comm="nc" saddr=127.0.0.1 src=44444
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=system_u:object_r:lo_node_t:s0 tclass=tcp_socket
>> type=AVC msg=audit(1238954202.535:276): avc:  denied  { listen } for
>> pid=10279 comm="nc" laddr=127.0.0.1 lport=44444
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
>> type=AVC msg=audit(1238954202.535:277): avc:  denied  { accept } for
>> pid=10279 comm="nc" laddr=127.0.0.1 lport=44444
>> scontext=unconfined_u:unconfined_r:nc_t:s0
>> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
>>
>> As everybody can see, there is no name_bind permission. why is this
>> so? I always thought, that name_bind is necessary to bind a  port. An
>> entry from dan's blog teached me,  that name_bind is always(?) needed.
>> I'm relatively new to selinux, so i'm not sure about this. Hope
>> someone can help me.
>>
>> I'm using fedora 10. Btw: sesearch --allow -s nc_t | grep name_bind
>> finds nothing. if you need additional info, please let me know.
>
> name_bind is not checked when the port falls within the local port range
> (cat /proc/sys/net/ipv4/ip_local_port_range), since ports in that range
> are used for auto-binding of unbound sockets and thus aren't truly
> controllable (unless we were to further modify the kernel to apply a
> check when scanning that port range for auto-binding and to skip port
> numbers in that range on a denial).  name_bind was primarily intended to
> control the ability to bind to well known ports to prevent spoofing of a
> given service by another process.
>
I think this is a mistake.  I think we should prevent name_bind of any 
service, to ensure a user is not running malicious software in his 
homedirectory that is listening on a port.  Obviously we are blocking 
via firewall high level ports but we block the first 32000 ports now and 
it makes no logical sense to not block all.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: nc -l does not need permission name_bind to bind to a port!?

[Stephen Smalley]

On Tue, 2009-04-07 at 10:33 -0400, Daniel J Walsh wrote:
> On 04/07/2009 08:30 AM, Stephen Smalley wrote:
> > On Sun, 2009-04-05 at 20:34 +0200, Sebastian Pfaff wrote:
> >> hello,
> >>
> >> i'm not sure about this: but afaik  to bind a socket to a port the
> >> name_bind is neccessary (please correct me, if this wrong).
> >>
> >> now try this:
> >> ==========
> >>
> >> policy_module(NETCAT, 0.0.1)
> >>
> >> require { type unconfined_t; }
> >>
> >> role unconfined_r types nc_t ;
> >>
> >> type nc_t;
> >> type nc_exec_t;
> >>
> >> application_domain(nc_t, nc_exec_t)
> >> domain_auto_transition_pattern(unconfined_t, nc_exec_t, nc_t)
> >> #EOF
> >>
> >> build load NETCAT.te:
> >> ==================
> >>
> >> make -f /usr/share/selinux/devel/Makefile
> >> sudo semodule -i NETCAT.pp
> >>
> >> then set domain nc_t permissive:
> >> ==========================
> >>
> >> sudo semanage permissive -a nc_t
> >>
> >> (temporarily) change type of nc:
> >> =========================
> >>
> >> sudo chcon -v -t nc_exec_t  /usr/bin/nc
> >>
> >> and then start a netcat "server" :
> >> =========================
> >>
> >> nc -l 44444
> >>
> >> here the verification that nc listens on 44444 for incoming connections:
> >> =======================================================
> >> [root@SecLab ~]# netstat -plntZ | grep 44444
> >> tcp        0      0 127.0.0.1:44444
> >> 0.0.0.0:*                   LISTEN      10279/nc
> >> unconfined_u:unconfined_r:nc_t:s0
> >>
> >> now we check audit.log:
> >> ===================
> >>
> >> [root@SecLab ~]# grep '^type=AVC' /var/log/audit/audit.log
> >> type=AVC msg=audit(1238954202.516:257): avc:  denied  { read write }
> >> for  pid=10279 comm="nc" name="1" dev=devpts ino=3
> >> scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=unconfined_u:object_r:unconfined_devpts_t:s0 tclass=chr_file
> >> type=AVC msg=audit(1238954202.518:258): avc:  denied  { read } for
> >> pid=10279 comm="nc" name="ld.so.cache" dev=sda1 ino=34611
> >> scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=file
> >> type=AVC msg=audit(1238954202.518:259): avc:  denied  { getattr } for
> >> pid=10279 comm="nc" path="/etc/ld.so.cache" dev=sda1 ino=34611
> >> scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=file
> >> type=AVC msg=audit(1238954202.518:260): avc:  denied  { read } for
> >> pid=10279 comm="nc" name="libglib-2.0.so.0" dev=sda1 ino=229602
> >> scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=system_u:object_r:lib_t:s0 tclass=lnk_file
> >> type=AVC msg=audit(1238954202.518:260): avc:  denied  { read } for
> >> pid=10279 comm="nc" name="libglib-2.0.so.0.1800.4" dev=sda1 ino=229574
> >> scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=system_u:object_r:lib_t:s0 tclass=file
> >> type=AVC msg=audit(1238954202.519:261): avc:  denied  { getattr } for
> >> pid=10279 comm="nc" path="/lib/libglib-2.0.so.0.1800.4" dev=sda1
> >> ino=229574 scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=system_u:object_r:lib_t:s0 tclass=file
> >> type=AVC msg=audit(1238954202.519:262): avc:  denied  { execute } for
> >> pid=10279 comm="nc" path="/lib/libglib-2.0.so.0.1800.4" dev=sda1
> >> ino=229574 scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=system_u:object_r:lib_t:s0 tclass=file
> >> type=AVC msg=audit(1238954202.519:263): avc:  denied  { read } for
> >> pid=10279 comm="nc" path="/lib/ld-2.9.so" dev=sda1 ino=229558
> >> scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=system_u:object_r:ld_so_t:s0 tclass=file
> >> type=AVC msg=audit(1238954202.520:264): avc:  denied  { create } for
> >> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
> >> type=AVC msg=audit(1238954202.520:265): avc:  denied  { bind } for
> >> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
> >> type=AVC msg=audit(1238954202.520:266): avc:  denied  { getattr } for
> >> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
> >> type=AVC msg=audit(1238954202.520:267): avc:  denied  { write } for
> >> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
> >> type=AVC msg=audit(1238954202.520:267): avc:  denied  { nlmsg_read }
> >> for  pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
> >> type=AVC msg=audit(1238954202.520:268): avc:  denied  { read } for
> >> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=netlink_route_socket
> >> type=AVC msg=audit(1238954202.533:269): avc:  denied  { read } for
> >> pid=10279 comm="nc" name="nsswitch.conf" dev=sda1 ino=32805
> >> scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=system_u:object_r:etc_t:s0 tclass=file
> >> type=AVC msg=audit(1238954202.533:270): avc:  denied  { getattr } for
> >> pid=10279 comm="nc" path="/etc/nsswitch.conf" dev=sda1 ino=32805
> >> scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=system_u:object_r:etc_t:s0 tclass=file
> >> type=AVC msg=audit(1238954202.534:271): avc:  denied  { read } for
> >> pid=10279 comm="nc" name="resolv.conf" dev=sda1 ino=34021
> >> scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=system_u:object_r:net_conf_t:s0 tclass=file
> >> type=AVC msg=audit(1238954202.534:272): avc:  denied  { getattr } for
> >> pid=10279 comm="nc" path="/etc/resolv.conf" dev=sda1 ino=34021
> >> scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=system_u:object_r:net_conf_t:s0 tclass=file
> >> type=AVC msg=audit(1238954202.535:273): avc:  denied  { create } for
> >> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
> >> type=AVC msg=audit(1238954202.535:274): avc:  denied  { setopt } for
> >> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
> >> type=AVC msg=audit(1238954202.535:275): avc:  denied  { bind } for
> >> pid=10279 comm="nc" scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
> >> type=AVC msg=audit(1238954202.535:275): avc:  denied  { node_bind }
> >> for  pid=10279 comm="nc" saddr=127.0.0.1 src=44444
> >> scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=system_u:object_r:lo_node_t:s0 tclass=tcp_socket
> >> type=AVC msg=audit(1238954202.535:276): avc:  denied  { listen } for
> >> pid=10279 comm="nc" laddr=127.0.0.1 lport=44444
> >> scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
> >> type=AVC msg=audit(1238954202.535:277): avc:  denied  { accept } for
> >> pid=10279 comm="nc" laddr=127.0.0.1 lport=44444
> >> scontext=unconfined_u:unconfined_r:nc_t:s0
> >> tcontext=unconfined_u:unconfined_r:nc_t:s0 tclass=tcp_socket
> >>
> >> As everybody can see, there is no name_bind permission. why is this
> >> so? I always thought, that name_bind is necessary to bind a  port. An
> >> entry from dan's blog teached me,  that name_bind is always(?) needed.
> >> I'm relatively new to selinux, so i'm not sure about this. Hope
> >> someone can help me.
> >>
> >> I'm using fedora 10. Btw: sesearch --allow -s nc_t | grep name_bind
> >> finds nothing. if you need additional info, please let me know.
> >
> > name_bind is not checked when the port falls within the local port range
> > (cat /proc/sys/net/ipv4/ip_local_port_range), since ports in that range
> > are used for auto-binding of unbound sockets and thus aren't truly
> > controllable (unless we were to further modify the kernel to apply a
> > check when scanning that port range for auto-binding and to skip port
> > numbers in that range on a denial).  name_bind was primarily intended to
> > control the ability to bind to well known ports to prevent spoofing of a
> > given service by another process.
> >
> I think this is a mistake.  I think we should prevent name_bind of any 
> service, to ensure a user is not running malicious software in his 
> homedirectory that is listening on a port.  Obviously we are blocking 
> via firewall high level ports but we block the first 32000 ports now and 
> it makes no logical sense to not block all.

It doesn't make sense to use a port in the local port range as a
well-defined service port since such a port can be allocated at any time
for an unbound socket upon a send or connect.  Thus, it didn't seem
useful to try to control the name binding of such ports - the port
numbers in that range (should) have no inherent meaning tied to them,
and thus spoofing them is of no interest.  You can already prevent a
process from creating INET sockets altogether (create permission), or
prevent them from using bind(2) altogether (bind permission).  You can
also use secmark to e.g. label all packets destined for a given port
with a given type, and then use policy to prevent receipt of such
packets on sockets in certain domains.

Regardless, if you truly wanted name_bind applied to all ports and you
wanted to avoid trivial circumvention by way of calling send* on an
unbound socket, then someone would need to modify the TCP and UDP
get_port functions to invoke a LSM hook to filter/select the ports
returned for auto-binding.  Merely checking name_bind in
selinux_socket_bind() for such ports wouldn't be sufficient.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: nc -l does not need permission name_bind to bind to a port!?

[Sebastian Pfaff]

ok, thank you for the quick answer. now everything is clear.

--
Sebastian Pfaff


Am 07.04.2009 um 18:38 schrieb Stephen Smalley:
>>
> It doesn't make sense to use a port in the local port range as a
> well-defined service port since such a port can be allocated at any  
> time
> for an unbound socket upon a send or connect.  Thus, it didn't seem
> useful to try to control the name binding of such ports - the port
> numbers in that range (should) have no inherent meaning tied to them,
> and thus spoofing them is of no interest.  You can already prevent a
> process from creating INET sockets altogether (create permission), or
> prevent them from using bind(2) altogether (bind permission).  You can
> also use secmark to e.g. label all packets destined for a given port
> with a given type, and then use policy to prevent receipt of such
> packets on sockets in certain domains.
>
> Regardless, if you truly wanted name_bind applied to all ports and you
> wanted to avoid trivial circumvention by way of calling send* on an
> unbound socket, then someone would need to modify the TCP and UDP
> get_port functions to invoke a LSM hook to filter/select the ports
> returned for auto-binding.  Merely checking name_bind in
> selinux_socket_bind() for such ports wouldn't be sufficient.
>
> -- 
> Stephen Smalley
> National Security Agency
>






--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.