Bug 389575

Summary:	sec-policy/selinux-miniupnpd MIA
Product:	Gentoo Linux	Reporter:	Nico Baggus <mlspamcb>
Component:	Hardened	Assignee:	SE Linux Bugs <selinux>
Status:	RESOLVED OBSOLETE
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Nico Baggus 2011-11-04 23:04:52 UTC

Missing ( items? in) a miniupnpd policy?


Reproducible: Always

Actual Results:  
avc:  denied  { getopt } for  pid=7658 comm="miniupnpd" lport=255 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
avc:  denied  { create } for  pid=7658 comm="miniupnpd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
avc:  denied  { getopt } for  pid=7658 comm="miniupnpd" lport=255 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
avc:  denied  { create } for  pid=7658 comm="miniupnpd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
avc:  denied  { getopt } for  pid=7658 comm="miniupnpd" lport=255 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
avc:  denied  { create } for  pid=7658 comm="miniupnpd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
avc:  denied  { getopt } for  pid=7658 comm="miniupnpd" lport=255 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
fi


appearantly the miniupnpd is missing in the selinux set..

Proposed fix:
---8<---
module miniupnpd 1.0;

require {
        type initrc_t;
        class rawip_socket { getopt create };
}

#============= initrc_t ==============
allow initrc_t self:rawip_socket { getopt create };

Comment 1 Nico Baggus 2011-11-04 23:14:04 UTC

With a restart of miniupnpd involved:
Some extra messages:
avc:  denied  { getopt } for  pid=7658 comm="miniupnpd" lport=255 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
avc:  denied  { name_bind } for  pid=7765 comm="miniupnpd" src=81 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
avc:  denied  { name_bind } for  pid=8070 comm="miniupnpd" src=81 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
avc:  denied  { read write } for  pid=8393 comm="miniupnpd" name="tty0" dev=tmpfs ino=2195 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:tty_device_t tclass=chr_file
avc:  denied  { name_bind } for  pid=8441 comm="miniupnpd" src=81 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
avc:  denied  { read write } for  pid=8478 comm="miniupnpd" name="tty0" dev=tmpfs ino=2195 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:tty_device_t tclass=chr_file
avc:  denied  { read write } for  pid=8537 comm="miniupnpd" name="tty0" dev=tmpfs ino=2195 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:tty_device_t tclass=chr_file
avc:  denied  { name_bind } for  pid=8564 comm="miniupnpd" src=81 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
avc:  denied  { name_bind } for  pid=9177 comm="miniupnpd" src=81 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
avc:  denied  { module_request } for  pid=9177 comm="miniupnpd" kmod="netdev-ppp0" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:kernel_t tclass=system


module miniupnpd 1.0;

require {
        type kernel_t;
        type tty_device_t;
        type reserved_port_t;
        type initrc_t;
        type run_init_t;
        class tcp_socket name_bind;
        class system module_request;
        class chr_file { read write };
        class rawip_socket { getopt create };
}

============= initrc_t ==============
allow initrc_t kernel_t:system module_request;
allow initrc_t reserved_port_t:tcp_socket name_bind;
allow initrc_t self:rawip_socket { getopt create };

#============= run_init_t ==============
allow run_init_t tty_device_t:chr_file { read write };

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2011-11-05 16:24:15 UTC

There is no policy for miniupnpd yet, so that one still needs to be created.

Anyone up for this?

Comment 3 Nico Baggus 2012-04-03 21:50:45 UTC

I stopped using selinux, because it caused my system to more & more misbehave.
(amongst others vixie-cron) where all solutions i could find didn't help.
or broke it further. [ even in permissive mode, which is clearly NOT honorred in dbus & vixie-cron ] 
Not using permissive mode fails ppp, dibbler, openswan and a lot more ==> 
no more selinux atm. it causes much more harm than it potentialy solve.

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2012-04-05 15:47:40 UTC

Although the question is then still valid, unless someone else steps up, I consider this to be obsolete then. Don't hesitate to reopen if you want to try out SELinux again (and who knows by then, upstream has support for miniupnpd too?)