From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 17 Aug 2011 08:34:53 -0400
Subject: [refpolicy] [PATCH 1/1] Allow NFS daemon to listen on an UDP
 port
In-Reply-To: <4E4BAB20.1090007@redhat.com>
References: <20110813191106.GA19074@siphos.be> <4E4AC530.7000208@tresys.com>
	<CAPzO=Nw_9arTkH53D+PCJR_2hg0XLtf_yEKv2LiGp8mHaU1zfw@mail.gmail.com>
	<CAPzO=NwSJ+L=9MpbVguijKRqJ9xL2Sg_4Ta9TM7CdEYiubxKsQ@mail.gmail.com>
	<4E4BAB20.1090007@redhat.com>
Message-ID: <4E4BB56D.6000701@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 8/17/2011 7:50 AM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 08/16/2011 11:58 PM, Sven Vermeulen wrote:
>> On Tue, Aug 16, 2011 at 7:29 PM, Christopher J. PeBenito
>> <cpebenito@tresys.com>  wrote:
>>> On 8/13/2011 3:11 PM, Sven Vermeulen wrote:
>>>> To support NFS over UDP, we should allow rpcd_t to listen on a
>>>> udp_socket.
>>>
>>> I'm confused.  I don't see any UDP port binding for rpcd_t.
>>
>> It's pulled in through rpc_domain_template:
>>
>> rpc.te:  rpc_domain_template(rpc) -->
>> corenet_udp_bind_generic_port($1_t)
>>
>> To be honest, I'm also confused (but that's due to inexperience) why
>> listen isn't part of create_socket_perms. If one creates a socket&
>> binds to it, what cases are there that you don't listen on it? What
>> is the need for create_stream_socket_perms?

create_socket_perms is for connectionless sockets, and 
create_stream_socket_perms is for connection-oriented sockets (eg TCP 
and AF_UNIX/SOCK_STREAM [unix_stream_sockets]).

>> Considering that, the patch might be best within the
>> rpc_domain_template() template, considering that it currently reads:
>>
>> allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t
>> self:udp_socket create_socket_perms;
>>
>> so the second line might then be best changed to
>> create_stream_socket_perms. But I'll need to check first if this is
>> needed for nfsd_t and gssd_t too.

> You can probably dontaudit this call.  You should not need to listen to
> udp sockets, you could consider this a bug in the kernel for reporting it.
>
>
> Doing a grep through Fedora policy I see
>
> ./kernel/domain.te:	dontaudit domain self:udp_socket listen;
>
> Meaning we just added a rule to tell the system to ignore these bogus
> AVC messages.

It does sound like a bug, but I'd like to hear from the kernel guys.  (cc'd)

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com