389575 – sec-policy/selinux-miniupnpd MIA

Bug 389575 - sec-policy/selinux-miniupnpd MIA

Summary: sec-policy/selinux-miniupnpd MIA

Status:	RESOLVED OBSOLETE

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-11-04 23:04 UTC by Nico Baggus
Modified:	2012-04-05 15:47 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nico Baggus 2011-11-04 23:04:52 UTC

Missing ( items? in) a miniupnpd policy?


Reproducible: Always

Actual Results:  
avc:  denied  { getopt } for  pid=7658 comm="miniupnpd" lport=255 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
avc:  denied  { create } for  pid=7658 comm="miniupnpd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
avc:  denied  { getopt } for  pid=7658 comm="miniupnpd" lport=255 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
avc:  denied  { create } for  pid=7658 comm="miniupnpd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
avc:  denied  { getopt } for  pid=7658 comm="miniupnpd" lport=255 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
avc:  denied  { create } for  pid=7658 comm="miniupnpd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
avc:  denied  { getopt } for  pid=7658 comm="miniupnpd" lport=255 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
fi


appearantly the miniupnpd is missing in the selinux set..

Proposed fix:
---8<---
module miniupnpd 1.0;

require {
        type initrc_t;
        class rawip_socket { getopt create };
}

#============= initrc_t ==============
allow initrc_t self:rawip_socket { getopt create };

Comment 1 Nico Baggus 2011-11-04 23:14:04 UTC

With a restart of miniupnpd involved:
Some extra messages:
avc:  denied  { getopt } for  pid=7658 comm="miniupnpd" lport=255 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
avc:  denied  { name_bind } for  pid=7765 comm="miniupnpd" src=81 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
avc:  denied  { name_bind } for  pid=8070 comm="miniupnpd" src=81 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
avc:  denied  { read write } for  pid=8393 comm="miniupnpd" name="tty0" dev=tmpfs ino=2195 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:tty_device_t tclass=chr_file
avc:  denied  { name_bind } for  pid=8441 comm="miniupnpd" src=81 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
avc:  denied  { read write } for  pid=8478 comm="miniupnpd" name="tty0" dev=tmpfs ino=2195 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:tty_device_t tclass=chr_file
avc:  denied  { read write } for  pid=8537 comm="miniupnpd" name="tty0" dev=tmpfs ino=2195 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:tty_device_t tclass=chr_file
avc:  denied  { name_bind } for  pid=8564 comm="miniupnpd" src=81 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
avc:  denied  { name_bind } for  pid=9177 comm="miniupnpd" src=81 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
avc:  denied  { module_request } for  pid=9177 comm="miniupnpd" kmod="netdev-ppp0" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:kernel_t tclass=system


module miniupnpd 1.0;

require {
        type kernel_t;
        type tty_device_t;
        type reserved_port_t;
        type initrc_t;
        type run_init_t;
        class tcp_socket name_bind;
        class system module_request;
        class chr_file { read write };
        class rawip_socket { getopt create };
}

============= initrc_t ==============
allow initrc_t kernel_t:system module_request;
allow initrc_t reserved_port_t:tcp_socket name_bind;
allow initrc_t self:rawip_socket { getopt create };

#============= run_init_t ==============
allow run_init_t tty_device_t:chr_file { read write };

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2011-11-05 16:24:15 UTC

There is no policy for miniupnpd yet, so that one still needs to be created.

Anyone up for this?

Comment 3 Nico Baggus 2012-04-03 21:50:45 UTC

I stopped using selinux, because it caused my system to more & more misbehave.
(amongst others vixie-cron) where all solutions i could find didn't help.
or broke it further. [ even in permissive mode, which is clearly NOT honorred in dbus & vixie-cron ] 
Not using permissive mode fails ppp, dibbler, openswan and a lot more ==> 
no more selinux atm. it causes much more harm than it potentialy solve.

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2012-04-05 15:47:40 UTC

Although the question is then still valid, unless someone else steps up, I consider this to be obsolete then. Don't hesitate to reopen if you want to try out SELinux again (and who knows by then, upstream has support for miniupnpd too?)