lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <1221155041.5347.35.camel@moss-terrapins.epoch.ncsc.mil>
Date:	Thu, 11 Sep 2008 13:44:01 -0400
From:	"David P. Quigley" <dpquigl@...ho.nsa.gov>
To:	Enrique Perez-Terron <enrio@...ine.no>
Cc:	linux-kernel@...r.kernel.org, fedora-selinux-list@...hat.com
Subject: Re: udp bind() fails with EACCESS when selinux enforcing, but no
	audit messages

I'm pretty sure this doesn't have anything to do with the kernel end but
is probably some sort of policy issue instead. I've CCed the
fedora-selinux list for an answer. The CC to linux-kernel should
probably be dropped from the reply there.

Dave

On Thu, 2008-09-11 at 17:34 +0200, Enrique Perez-Terron wrote:
> Fedora core 9 stock kernel 2.6.25.108 i586
> 
> Udp bind() fails with EACCESS when selinux enforcing, but no audit
> messages.
> 
> How to reproduce:
> 
> In startup scripts, configure rpc.statd to use the fixed port 34.
> This port does not occur in /etc/services
> (In /etc/sysconfig/nfs, STATD_PORT=34)
> 
> Write the following script, run it with bash -x.
> 
> #!/bin/bash
> 
> TESTDIR=/var/tmp/se-bind-test-$$
> mkdir $TESTDIR  # to hold about 50 files
> cd $TESTDIR
> 
> # Stop NFS:
> service nfs stop
> service nfslock stop
> 
> # Gather some baseline data for easy comparison
> echo 1 /selinux/enforce  # just in case
> dmesg                       > dmesg-enforc-before
> wc /var/log/audit/audit.log > audit-enforc-before
> 
> # This fails
> strace -o enforc -ff service nfslock start
> 
> # But no new messages in logs
> dmesg                       > dmesg-enforc-after
> wc /var/log/audit/audit.log > audit-enforc-after
> 
> # Try again in permissive mode
> echo 0 /selinux/enforce
> dmesg                       > dmesg-nonenf-before
> wc /var/log/audit/audit.log > audit-nonenf-before
> 
> # Since this works, daemon starts, and strace hangs on
> # Need sigkill; sigint does not work. Why?
> (sleep 5; killall -9 strace) &
> strace -o nonenf -ff service nfslock start
> 
> # Just for symmetry
> dmesg                       > dmesg-nonenf-after
> wc /var/log/audit/audit.log > audit-nonenf-after
> 
> # Check that there are no audits.
> diff dmesg-enforc-before dmesg-enforc-after
> diff audit-enforc-before audit-enforc-after
> 
> # There are several other calls to bind() that are not prevented
> grep -E '^bind|^socket' enforc.*
> grep -E '^bind|^socket' nonenf.*
> 
> Regards
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ