From: dwalsh@redhat.com (Daniel J Walsh)
Date: Wed, 17 Aug 2011 07:50:56 -0400
Subject: [refpolicy] [PATCH 1/1] Allow NFS daemon to listen on an UDP
 port
In-Reply-To: <CAPzO=NwSJ+L=9MpbVguijKRqJ9xL2Sg_4Ta9TM7CdEYiubxKsQ@mail.gmail.com>
References: <20110813191106.GA19074@siphos.be> <4E4AC530.7000208@tresys.com>
	<CAPzO=Nw_9arTkH53D+PCJR_2hg0XLtf_yEKv2LiGp8mHaU1zfw@mail.gmail.com>
	<CAPzO=NwSJ+L=9MpbVguijKRqJ9xL2Sg_4Ta9TM7CdEYiubxKsQ@mail.gmail.com>
Message-ID: <4E4BAB20.1090007@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/16/2011 11:58 PM, Sven Vermeulen wrote:
> On Tue, Aug 16, 2011 at 7:29 PM, Christopher J. PeBenito 
> <cpebenito@tresys.com> wrote:
>> On 8/13/2011 3:11 PM, Sven Vermeulen wrote:
>>> To support NFS over UDP, we should allow rpcd_t to listen on a
>>> udp_socket.
>> 
>> I'm confused.  I don't see any UDP port binding for rpcd_t.
> 
> It's pulled in through rpc_domain_template:
> 
> rpc.te:  rpc_domain_template(rpc) -->
> corenet_udp_bind_generic_port($1_t)
> 
> To be honest, I'm also confused (but that's due to inexperience) why 
> listen isn't part of create_socket_perms. If one creates a socket & 
> binds to it, what cases are there that you don't listen on it? What
> is the need for create_stream_socket_perms?
> 
> Considering that, the patch might be best within the 
> rpc_domain_template() template, considering that it currently reads:
> 
> allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t
> self:udp_socket create_socket_perms;
> 
> so the second line might then be best changed to 
> create_stream_socket_perms. But I'll need to check first if this is 
> needed for nfsd_t and gssd_t too.
> 
> Wkr, Sven Vermeulen
> 
> PS Sorry Christopher for remailing, got the wrong To again. Heh. 
> _______________________________________________ refpolicy mailing
> list refpolicy at oss.tresys.com 
> http://oss.tresys.com/mailman/listinfo/refpolicy
You can probably dontaudit this call.  You should not need to listen to
udp sockets, you could consider this a bug in the kernel for reporting it.


Doing a grep through Fedora policy I see

./kernel/domain.te:	dontaudit domain self:udp_socket listen;



Meaning we just added a rule to tell the system to ignore these bogus
AVC messages.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5LqyAACgkQrlYvE4MpobNvGQCg4bdESvvoOGS4P34oK6nebwmo
VbEAoLLvJDbWzbj2svshzJqdh94xylJz
=SFad
-----END PGP SIGNATURE-----