Re: selinux and sctp

[Nigel Rumens <wooky@btconnect.com>]

[-- Attachment #1: Type: text/plain, Size: 3412 bytes --]

On 05/26/2009 11:32 PM, Paul Moore wrote:
> On Monday 25 May 2009 07:16:06 am Daniel J Walsh wrote:
>    
>> On 05/24/2009 06:00 AM, Nigel Rumens wrote:
>>      
>>> Hi,
>>>
>>> Does selinux understand sctp?
>>>
>>> When I run (for example)
>>>
>>> sctp_darn -H 0 -P 9876 -l
>>>
>>> It results in an avc denial message which tells me the target object is
>>> of type None[rawip_socket]
>>>
>>> Also semanage port -l shows only udp and tcp
>>>
>>> Machine tested on was F11 (fully updated) - I also tried it F10 with the
>>> same results
>>>        
>
> Hi Nigel,
>
> Can you send us the AVC denial messages?  If you are running a recent kernel
> (F11/Rawhide should qualify and F10 will likely as well) there should only be
> a handful of areas where you should be hitting transport protocol specific
> code that isn't SCTP aware in the kernel, it would be nice to verify that so
> we could better identify what work needs to be done.
>
>    

Certainly - here you are.

Summary
SELinux is preventing the sctp_darn (unconfined_t) from binding to port 
9876.
Detailed Description
SELinux has denied the sctp_darn from binding to a network port 9876 
which does not have an SELinux type associated with it. If sctp_darn is 
supposed to be allowed to listen on this port, you can use the semanage 
command to add this port to a port type that unconfined_t can bind to. 
semanage port -l will list all port types. Please file a bug report 
against the selinux-policy package. If sctp_darn is not supposed to bind 
to this port, this could signal a intrusion attempt. If this system is 
running as an NIS Client, turning on the allow_ypbind boolean, may fix 
the problem. setsebool -P allow_ypbind=1.
Allowing Access
If you want to allow sctp_darn to bind to this port semanage port -a -t 
PORT_TYPE -p PROTOCOL 9876 Where PORT_TYPE is a type that unconfined_t 
can bind and PROTOCOL is udp or tcp.
Additional Information
Source Context:      unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Target Context:      system_u:object_r:port_t:s0
Target Objects:      None [ rawip_socket ]
Source:      sctp_darn
Source Path:      /usr/bin/sctp_darn
Port:      9876
Host:      bear.cwb.uk
Source RPM Packages:      lksctp-tools-1.0.10-1.fc11
Target RPM Packages:
Policy RPM:      selinux-policy-3.6.12-34.fc11
Selinux Enabled:      True
Policy Type:      targeted
MLS Enabled:      True
Enforcing Mode:      Enforcing
Plugin Name:      bind_ports
Host Name:      bear.cwb.uk
Platform:      Linux bear.cwb.uk 2.6.29.3-140.fc11.x86_64 #1 SMP Tue May 
12 10:44:27 EDT 2009 x86_64 x86_64
Alert Count:      1
First Seen:      Fri May 22 07:46:59 2009
Last Seen:      Fri May 22 07:46:59 2009
Local ID:      73919917-a2a5-409c-b29d-1eb84b1acc04
Line Numbers:

Raw Audit Messages :

node=bear.cwb.uk type=AVC msg=audit(1242974819.377:32014): avc: denied { 
name_bind } for pid=14773 comm="sctp_darn" src=9876 
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:port_t:s0 tclass=rawip_socket
node=bear.cwb.uk type=SYSCALL msg=audit(1242974819.377:32014): 
arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff08b0bdd0 a2=10 
a3=7fff08b0bdc0 items=0 ppid=14732 pid=14773 auid=500 uid=500 gid=500 
euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts2 ses=51 
comm="sctp_darn" exe="/usr/bin/sctp_darn" 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

[-- Attachment #2: Type: text/html, Size: 4400 bytes --]