linux-igd blocked by SELinux
Daniel J Walsh
dwalsh at redhat.com
Tue Aug 5 13:22:25 UTC 2008
Daniel Fazekas wrote:
> The linux-igd package in Fedora 9 doesn't seem to function at all in its
> default configuration with SELinux enabled.
>
> It's a UPnP IGD implementation which calls iptables to automatically add
> requested port forwarding DNAT entries to the nat table's PREROUTING
> chain, and the filter table's FORWARD chain.
>
> Two runs through audit2allow made me a module which allows it to
> function, however, I'm worried whether the automatically generated rules
> are sensible, or if it's even normal that a Fedora 9 package by default
> just wouldn't work at all with SELinux enforcing on. Thanks for any
> insight.
> The upnpd runs as root.
>
> The package versions:
> linux-igd-1.0-5.fc9.i386
> selinux-policy-targeted-3.3.1-79.fc9.noarch
>
> Audit messages:
> type=1400 audit(1217802519.747:3819): avc: denied { read write } for
> pid=7890 comm="iptables" path="socket:[133770]" dev=sockfs ino=133770
> scontext=unconfined_u:system_r:iptables_t:s0
> tcontext=unconfined_u:system_r:initrc_t:s0 tclass=udp_socket
> type=1400 audit(1217804575.392:3820): avc: denied { read write } for
> pid=8058 comm="iptables" path="socket:[133769]" dev=sockfs ino=133769
> scontext=unconfined_u:system_r:iptables_t:s0
> tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
> type=1401 audit(1217811758.594:3828): security_compute_sid: invalid
> context unconfined_u:unconfined_r:insmod_t:s0-s0:c0.c1023 for
> scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:insmod_exec_t:s0 tclass=process
>
> The auto-generated module which allows it to function:
> module myupnpd 1.0.1;
>
> require {
> type iptables_t;
> type initrc_t;
> type insmod_t;
> role unconfined_r;
> class tcp_socket { read write };
> class udp_socket { read write };
> }
>
> #============= ROLES ==============
> role unconfined_r types insmod_t;
>
> #============= iptables_t ==============
> allow iptables_t initrc_t:tcp_socket { read write };
> allow iptables_t initrc_t:udp_socket { read write };
These two are a leaked file descriptor from the daemon running as
initrc_t. These should be reported as a bug in this tool.
All open file descriptors should be closed before execing an application
fcntl(fd, F_SETFD, FD_CLOSEXEC)
The role commands should be added, and I will fix F9 and Rawhide policy.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The
More information about the fedora-selinux-list
mailing list