FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-11-2008, 05:44 PM
"David P. Quigley"
 
Default udp bind() fails with EACCESS when selinux enforcing, but no audit messages

I'm pretty sure this doesn't have anything to do with the kernel end but
is probably some sort of policy issue instead. I've CCed the
fedora-selinux list for an answer. The CC to linux-kernel should
probably be dropped from the reply there.

Dave

On Thu, 2008-09-11 at 17:34 +0200, Enrique Perez-Terron wrote:
> Fedora core 9 stock kernel 2.6.25.108 i586
>
> Udp bind() fails with EACCESS when selinux enforcing, but no audit
> messages.
>
> How to reproduce:
>
> In startup scripts, configure rpc.statd to use the fixed port 34.
> This port does not occur in /etc/services
> (In /etc/sysconfig/nfs, STATD_PORT=34)
>
> Write the following script, run it with bash -x.
>
> #!/bin/bash
>
> TESTDIR=/var/tmp/se-bind-test-$$
> mkdir $TESTDIR # to hold about 50 files
> cd $TESTDIR
>
> # Stop NFS:
> service nfs stop
> service nfslock stop
>
> # Gather some baseline data for easy comparison
> echo 1 /selinux/enforce # just in case
> dmesg > dmesg-enforc-before
> wc /var/log/audit/audit.log > audit-enforc-before
>
> # This fails
> strace -o enforc -ff service nfslock start
>
> # But no new messages in logs
> dmesg > dmesg-enforc-after
> wc /var/log/audit/audit.log > audit-enforc-after
>
> # Try again in permissive mode
> echo 0 /selinux/enforce
> dmesg > dmesg-nonenf-before
> wc /var/log/audit/audit.log > audit-nonenf-before
>
> # Since this works, daemon starts, and strace hangs on
> # Need sigkill; sigint does not work. Why?
> (sleep 5; killall -9 strace) &
> strace -o nonenf -ff service nfslock start
>
> # Just for symmetry
> dmesg > dmesg-nonenf-after
> wc /var/log/audit/audit.log > audit-nonenf-after
>
> # Check that there are no audits.
> diff dmesg-enforc-before dmesg-enforc-after
> diff audit-enforc-before audit-enforc-after
>
> # There are several other calls to bind() that are not prevented
> grep -E '^bind|^socket' enforc.*
> grep -E '^bind|^socket' nonenf.*
>
> Regards
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:05 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org