From: paul@paul-moore.com (Paul Moore) Date: Wed, 17 Aug 2011 17:48:01 -0400 Subject: [refpolicy] [PATCH 1/1] Allow NFS daemon to listen on an UDP port In-Reply-To: <4E4BB56D.6000701@tresys.com> References: <20110813191106.GA19074@siphos.be> <4E4AC530.7000208@tresys.com> <4E4BAB20.1090007@redhat.com> <4E4BB56D.6000701@tresys.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Aug 17, 2011 at 8:34 AM, Christopher J. PeBenito wrote: > On 8/17/2011 7:50 AM, Daniel J Walsh wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 08/16/2011 11:58 PM, Sven Vermeulen wrote: >>> >>> On Tue, Aug 16, 2011 at 7:29 PM, Christopher J. PeBenito >>> ?wrote: >>>> >>>> On 8/13/2011 3:11 PM, Sven Vermeulen wrote: >>>>> >>>>> To support NFS over UDP, we should allow rpcd_t to listen on a >>>>> udp_socket. >>>> >>>> I'm confused. ?I don't see any UDP port binding for rpcd_t. >>> >>> It's pulled in through rpc_domain_template: >>> >>> rpc.te: ?rpc_domain_template(rpc) --> >>> corenet_udp_bind_generic_port($1_t) >>> >>> To be honest, I'm also confused (but that's due to inexperience) why >>> listen isn't part of create_socket_perms. If one creates a socket& >>> binds to it, what cases are there that you don't listen on it? What >>> is the need for create_stream_socket_perms? > > create_socket_perms is for connectionless sockets, and > create_stream_socket_perms is for connection-oriented sockets (eg TCP and > AF_UNIX/SOCK_STREAM [unix_stream_sockets]). > >>> Considering that, the patch might be best within the >>> rpc_domain_template() template, considering that it currently reads: >>> >>> allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t >>> self:udp_socket create_socket_perms; >>> >>> so the second line might then be best changed to >>> create_stream_socket_perms. But I'll need to check first if this is >>> needed for nfsd_t and gssd_t too. > >> You can probably dontaudit this call. ?You should not need to listen to >> udp sockets, you could consider this a bug in the kernel for reporting it. >> >> >> Doing a grep through Fedora policy I see >> >> ./kernel/domain.te: ? ? dontaudit domain self:udp_socket listen; >> >> Meaning we just added a rule to tell the system to ignore these bogus >> AVC messages. > > It does sound like a bug, but I'd like to hear from the kernel guys. ?(cc'd) I think the problem you are seeing is that we do the *_socket:listen access check in the kernel before we execute the protocol specific listen() function - for obvious reasons. In this case of tcp_socket:listen this is fine as TCP has a legitimate need for the listen() call. However, in the case of udp_socket:listen this results in some odd behavior since UDP does not support a listen call; in fact the protocol specific listen() function simply returns -EOPNOTSUPP. If this was really problematic we could put some logic in the socket_listen() hook but I'd like to avoid that if possible; it seems much cleaner to just use a dontaudit rule in policy. -- paul moore www.paul-moore.com