FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 08-04-2008, 09:08 PM
Daniel Fazekas
 
Default linux-igd blocked by SELinux

The linux-igd package in Fedora 9 doesn't seem to function at all in
its default configuration with SELinux enabled.


It's a UPnP IGD implementation which calls iptables to automatically
add requested port forwarding DNAT entries to the nat table's
PREROUTING chain, and the filter table's FORWARD chain.


Two runs through audit2allow made me a module which allows it to
function, however, I'm worried whether the automatically generated
rules are sensible, or if it's even normal that a Fedora 9 package by
default just wouldn't work at all with SELinux enforcing on. Thanks
for any insight.

The upnpd runs as root.

The package versions:
linux-igd-1.0-5.fc9.i386
selinux-policy-targeted-3.3.1-79.fc9.noarch

Audit messages:
type=1400 audit(1217802519.747:3819): avc: denied { read write }
for pid=7890 comm="iptables" path="socket:[133770]" dev=sockfs
ino=133770 scontext=unconfined_u:system_r:iptables_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=udp_socket
type=1400 audit(1217804575.392:3820): avc: denied { read write }
for pid=8058 comm="iptables" path="socket:[133769]" dev=sockfs
ino=133769 scontext=unconfined_u:system_r:iptables_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=1401 audit(1217811758.594:3828): security_compute_sid: invalid
context unconfined_u:unconfined_r:insmod_t:s0-s0:c0.c1023 for
scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023
tcontext=system_ubject_r:insmod_exec_t:s0 tclass=process


The auto-generated module which allows it to function:
module myupnpd 1.0.1;

require {
type iptables_t;
type initrc_t;
type insmod_t;
role unconfined_r;
class tcp_socket { read write };
class udp_socket { read write };
}

#============= ROLES ==============
role unconfined_r types insmod_t;

#============= iptables_t ==============
allow iptables_t initrc_t:tcp_socket { read write };
allow iptables_t initrc_t:udp_socket { read write };

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 08-05-2008, 01:22 PM
Daniel J Walsh
 
Default linux-igd blocked by SELinux

Daniel Fazekas wrote:
> The linux-igd package in Fedora 9 doesn't seem to function at all in its
> default configuration with SELinux enabled.
>
> It's a UPnP IGD implementation which calls iptables to automatically add
> requested port forwarding DNAT entries to the nat table's PREROUTING
> chain, and the filter table's FORWARD chain.
>
> Two runs through audit2allow made me a module which allows it to
> function, however, I'm worried whether the automatically generated rules
> are sensible, or if it's even normal that a Fedora 9 package by default
> just wouldn't work at all with SELinux enforcing on. Thanks for any
> insight.
> The upnpd runs as root.
>
> The package versions:
> linux-igd-1.0-5.fc9.i386
> selinux-policy-targeted-3.3.1-79.fc9.noarch
>
> Audit messages:
> type=1400 audit(1217802519.747:3819): avc: denied { read write } for
> pid=7890 comm="iptables" path="socket:[133770]" dev=sockfs ino=133770
> scontext=unconfined_u:system_r:iptables_t:s0
> tcontext=unconfined_u:system_r:initrc_t:s0 tclass=udp_socket
> type=1400 audit(1217804575.392:3820): avc: denied { read write } for
> pid=8058 comm="iptables" path="socket:[133769]" dev=sockfs ino=133769
> scontext=unconfined_u:system_r:iptables_t:s0
> tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
> type=1401 audit(1217811758.594:3828): security_compute_sid: invalid
> context unconfined_u:unconfined_r:insmod_t:s0-s0:c0.c1023 for
> scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:insmod_exec_t:s0 tclass=process
>
> The auto-generated module which allows it to function:
> module myupnpd 1.0.1;
>
> require {
> type iptables_t;
> type initrc_t;
> type insmod_t;
> role unconfined_r;
> class tcp_socket { read write };
> class udp_socket { read write };
> }
>
> #============= ROLES ==============
> role unconfined_r types insmod_t;
>
> #============= iptables_t ==============
> allow iptables_t initrc_t:tcp_socket { read write };
> allow iptables_t initrc_t:udp_socket { read write };
These two are a leaked file descriptor from the daemon running as
initrc_t. These should be reported as a bug in this tool.

All open file descriptors should be closed before execing an application

fcntl(fd, F_SETFD, FD_CLOSEXEC)

The role commands should be added, and I will fix F9 and Rawhide policy.

>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 08:00 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org