linux-igd blocked by SELinux

Daniel J Walsh dwalsh at redhat.com
Tue Aug 5 13:22:25 UTC 2008 

Daniel Fazekas wrote:
> The linux-igd package in Fedora 9 doesn't seem to function at all in its
> default configuration with SELinux enabled.
> 
> It's a UPnP IGD implementation which calls iptables to automatically add
> requested port forwarding DNAT entries to the nat table's PREROUTING
> chain, and the filter table's FORWARD chain.
> 
> Two runs through audit2allow made me a module which allows it to
> function, however, I'm worried whether the automatically generated rules
> are sensible, or if it's even normal that a Fedora 9 package by default
> just wouldn't work at all with SELinux enforcing on. Thanks for any
> insight.
> The upnpd runs as root.
> 
> The package versions:
> linux-igd-1.0-5.fc9.i386
> selinux-policy-targeted-3.3.1-79.fc9.noarch
> 
> Audit messages:
> type=1400 audit(1217802519.747:3819): avc:  denied  { read write } for 
> pid=7890 comm="iptables" path="socket:[133770]" dev=sockfs ino=133770
> scontext=unconfined_u:system_r:iptables_t:s0
> tcontext=unconfined_u:system_r:initrc_t:s0 tclass=udp_socket
> type=1400 audit(1217804575.392:3820): avc:  denied  { read write } for 
> pid=8058 comm="iptables" path="socket:[133769]" dev=sockfs ino=133769
> scontext=unconfined_u:system_r:iptables_t:s0
> tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
> type=1401 audit(1217811758.594:3828): security_compute_sid:  invalid
> context unconfined_u:unconfined_r:insmod_t:s0-s0:c0.c1023 for
> scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:insmod_exec_t:s0 tclass=process
> 
> The auto-generated module which allows it to function:
> module myupnpd 1.0.1;
> 
> require {
>     type iptables_t;
>     type initrc_t;
>     type insmod_t;
>     role unconfined_r;
>     class tcp_socket { read write };
>     class udp_socket { read write };
> }
> 
> #============= ROLES ==============
> role unconfined_r types insmod_t;
> 
> #============= iptables_t ==============
> allow iptables_t initrc_t:tcp_socket { read write };
> allow iptables_t initrc_t:udp_socket { read write };
These two are a leaked file descriptor from the daemon running as
initrc_t.  These should be reported as a bug in this tool.

All open file descriptors should be closed before execing an application

fcntl(fd, F_SETFD, FD_CLOSEXEC)

The role commands should be added, and I will fix F9 and Rawhide policy.

> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The

More information about the fedora-selinux-list mailing list