FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-11-2008, 06:20 PM
Daniel J Walsh
 
Default udp bind() fails with EACCESS when selinux enforcing, but no audit messages

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David P. Quigley wrote:
> I'm pretty sure this doesn't have anything to do with the kernel end but
> is probably some sort of policy issue instead. I've CCed the
> fedora-selinux list for an answer. The CC to linux-kernel should
> probably be dropped from the reply there.
>
> Dave
>
> On Thu, 2008-09-11 at 17:34 +0200, Enrique Perez-Terron wrote:
>> Fedora core 9 stock kernel 2.6.25.108 i586
>>
>> Udp bind() fails with EACCESS when selinux enforcing, but no audit
>> messages.
>>
>> How to reproduce:
>>
>> In startup scripts, configure rpc.statd to use the fixed port 34.
>> This port does not occur in /etc/services
>> (In /etc/sysconfig/nfs, STATD_PORT=34)
>>
>> Write the following script, run it with bash -x.
>>
>> #!/bin/bash
>>
>> TESTDIR=/var/tmp/se-bind-test-$$
>> mkdir $TESTDIR # to hold about 50 files
>> cd $TESTDIR
>>
>> # Stop NFS:
>> service nfs stop
>> service nfslock stop
>>
>> # Gather some baseline data for easy comparison
>> echo 1 /selinux/enforce # just in case
>> dmesg > dmesg-enforc-before
>> wc /var/log/audit/audit.log > audit-enforc-before
>>
>> # This fails
>> strace -o enforc -ff service nfslock start
>>
>> # But no new messages in logs
>> dmesg > dmesg-enforc-after
>> wc /var/log/audit/audit.log > audit-enforc-after
>>
>> # Try again in permissive mode
>> echo 0 /selinux/enforce
>> dmesg > dmesg-nonenf-before
>> wc /var/log/audit/audit.log > audit-nonenf-before
>>
>> # Since this works, daemon starts, and strace hangs on
>> # Need sigkill; sigint does not work. Why?
>> (sleep 5; killall -9 strace) &
>> strace -o nonenf -ff service nfslock start
>>
>> # Just for symmetry
>> dmesg > dmesg-nonenf-after
>> wc /var/log/audit/audit.log > audit-nonenf-after
>>
>> # Check that there are no audits.
>> diff dmesg-enforc-before dmesg-enforc-after
>> diff audit-enforc-before audit-enforc-after
>>
>> # There are several other calls to bind() that are not prevented
>> grep -E '^bind|^socket' enforc.*
>> grep -E '^bind|^socket' nonenf.*
>>
>> Regards
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at http://www.tux.org/lkml/
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

semodule -DB

Will remove all dontaudit rules.

Then run your service script.

semodule -B

Will put them back.

You have yum -y upgrade selinux-policy*
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJYWYACgkQrlYvE4MpobMzAACfVTPibwI01d cnZAc+R8mB1bAE
XNMAn00pwIPWDJ8o5THRmPY4AHhbsmhS
=Jtrn
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 04:14 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org