Selinux in FC4 is blocking SCTP [PATCH RFC]
Stephen Smalley
sds at epoch.ncsc.mil
Fri Sep 30 15:13:38 UTC 2005
On Fri, 2005-09-30 at 02:49 -0400, James Morris wrote:
> Please review the following patch.
>
> It changes the SELinux IP socket classification logic, which is currently
> broken (well, out of date), so that an IPPROTO_IP protocol value passed to
> socket(2) classify the socket as TCP or UDP. Currently, a SOCK_STREAM
> with a protocol of IPPROTO_ARBITRARY will default to SECCLASS_TCP_SOCKET.
> With this patch, it will instead default to SECCLASS_RAWIP_SOCKET, the
> generic IP socket class.
>
> The patch also drops the check for SOCK_RAW and converts it into a
> default, so that socket types like SOCK_DCCP and SOCK_SEQPACKET are
> classified as SECCLASS_RAWIP_SOCKET (instead of generic sockets).
>
> This now causes all SCTP sockets to be classified as
> SECCLASS_RAWIP_SOCKET.
>
> This patch also unifies the way IP sockets classes are determined in
> selinux_socket_bind(), so we use the already calculated value instead of
> trying to recalculate it (which can lead to inconsistencies).
>
> To get SCTP working now in targeted policy, permissions for the
> rawip_socket classs need to be added to unconfined_domain:
>
> avc: denied { name_bind } for pid=16484 comm="lt-sctp_test" src=3339
> scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t
> tclass=rawip_socket
>
> (that should be it, I think).
>
> Comments?
>
> ---
>
> security/selinux/hooks.c | 30 ++++++++++++++++++++++++------
> 1 files changed, 24 insertions(+), 6 deletions(-)
Looks good.
Signed-off-by: Stephen Smalley <sds at tycho.nsa.gov>
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list