udp bind() fails with EACCESS when selinux enforcing, but no audit messages
-----BEGIN PGP SIGNED MESSAGE-----
David P. Quigley wrote:
> I'm pretty sure this doesn't have anything to do with the kernel end but
> is probably some sort of policy issue instead. I've CCed the
> fedora-selinux list for an answer. The CC to linux-kernel should
> probably be dropped from the reply there.
> On Thu, 2008-09-11 at 17:34 +0200, Enrique Perez-Terron wrote:
>> Fedora core 9 stock kernel 22.214.171.124 i586
>> Udp bind() fails with EACCESS when selinux enforcing, but no audit
>> How to reproduce:
>> In startup scripts, configure rpc.statd to use the fixed port 34.
>> This port does not occur in /etc/services
>> (In /etc/sysconfig/nfs, STATD_PORT=34)
>> Write the following script, run it with bash -x.
>> mkdir $TESTDIR # to hold about 50 files
>> cd $TESTDIR
>> # Stop NFS:
>> service nfs stop
>> service nfslock stop
>> # Gather some baseline data for easy comparison
>> echo 1 /selinux/enforce # just in case
>> dmesg > dmesg-enforc-before
>> wc /var/log/audit/audit.log > audit-enforc-before
>> # This fails
>> strace -o enforc -ff service nfslock start
>> # But no new messages in logs
>> dmesg > dmesg-enforc-after
>> wc /var/log/audit/audit.log > audit-enforc-after
>> # Try again in permissive mode
>> echo 0 /selinux/enforce
>> dmesg > dmesg-nonenf-before
>> wc /var/log/audit/audit.log > audit-nonenf-before
>> # Since this works, daemon starts, and strace hangs on
>> # Need sigkill; sigint does not work. Why?
>> (sleep 5; killall -9 strace) &
>> strace -o nonenf -ff service nfslock start
>> # Just for symmetry
>> dmesg > dmesg-nonenf-after
>> wc /var/log/audit/audit.log > audit-nonenf-after
>> # Check that there are no audits.
>> diff dmesg-enforc-before dmesg-enforc-after
>> diff audit-enforc-before audit-enforc-after
>> # There are several other calls to bind() that are not prevented
>> grep -E '^bind|^socket' enforc.*
>> grep -E '^bind|^socket' nonenf.*
>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>> the body of a message to firstname.lastname@example.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at http://www.tux.org/lkml/
> fedora-selinux-list mailing list
Will remove all dontaudit rules.
Then run your service script.
Will put them back.
You have yum -y upgrade selinux-policy*
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org