lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 11 Sep 2008 17:34:40 +0200
From:	Enrique Perez-Terron <enrio@...ine.no>
To:	linux-kernel@...r.kernel.org
Subject: udp bind() fails with EACCESS when selinux enforcing, but no audit
	messages

Fedora core 9 stock kernel 2.6.25.108 i586

Udp bind() fails with EACCESS when selinux enforcing, but no audit
messages.

How to reproduce:

In startup scripts, configure rpc.statd to use the fixed port 34.
This port does not occur in /etc/services
(In /etc/sysconfig/nfs, STATD_PORT=34)

Write the following script, run it with bash -x.

#!/bin/bash

TESTDIR=/var/tmp/se-bind-test-$$
mkdir $TESTDIR  # to hold about 50 files
cd $TESTDIR

# Stop NFS:
service nfs stop
service nfslock stop

# Gather some baseline data for easy comparison
echo 1 /selinux/enforce  # just in case
dmesg                       > dmesg-enforc-before
wc /var/log/audit/audit.log > audit-enforc-before

# This fails
strace -o enforc -ff service nfslock start

# But no new messages in logs
dmesg                       > dmesg-enforc-after
wc /var/log/audit/audit.log > audit-enforc-after

# Try again in permissive mode
echo 0 /selinux/enforce
dmesg                       > dmesg-nonenf-before
wc /var/log/audit/audit.log > audit-nonenf-before

# Since this works, daemon starts, and strace hangs on
# Need sigkill; sigint does not work. Why?
(sleep 5; killall -9 strace) &
strace -o nonenf -ff service nfslock start

# Just for symmetry
dmesg                       > dmesg-nonenf-after
wc /var/log/audit/audit.log > audit-nonenf-after

# Check that there are no audits.
diff dmesg-enforc-before dmesg-enforc-after
diff audit-enforc-before audit-enforc-after

# There are several other calls to bind() that are not prevented
grep -E '^bind|^socket' enforc.*
grep -E '^bind|^socket' nonenf.*

Regards

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ