From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 18 Aug 2011 09:52:17 -0400 Subject: [refpolicy] [PATCH 1/1] Allow NFS daemon to listen on an UDP port In-Reply-To: <4E4D0CBD.9060703@tresys.com> References: <20110813191106.GA19074@siphos.be> <4E4AC530.7000208@tresys.com> <4E4BAB20.1090007@redhat.com> <4E4BB56D.6000701@tresys.com> <4E4D0CBD.9060703@tresys.com> Message-ID: <4E4D1911.90203@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/18/2011 08:59 AM, Christopher J. PeBenito wrote: > On 08/17/11 17:48, Paul Moore wrote: >> On Wed, Aug 17, 2011 at 8:34 AM, Christopher J. PeBenito >> wrote: >>> On 8/17/2011 7:50 AM, Daniel J Walsh wrote: >>>> On 08/16/2011 11:58 PM, Sven Vermeulen wrote: >>>>> On Tue, Aug 16, 2011 at 7:29 PM, Christopher J. PeBenito >>>>> wrote: >>>>>> On 8/13/2011 3:11 PM, Sven Vermeulen wrote: >>>>>>> >>>>>>> To support NFS over UDP, we should allow rpcd_t to listen >>>>>>> on a udp_socket. >>>>>> >>>>>> I'm confused. I don't see any UDP port binding for >>>>>> rpcd_t. >>>>> >>>>> It's pulled in through rpc_domain_template: >>>>> >>>>> rpc.te: rpc_domain_template(rpc) --> >>>>> corenet_udp_bind_generic_port($1_t) >>>>> >>>>> To be honest, I'm also confused (but that's due to >>>>> inexperience) why listen isn't part of create_socket_perms. >>>>> If one creates a socket& binds to it, what cases are there >>>>> that you don't listen on it? What is the need for >>>>> create_stream_socket_perms? >>> >>> create_socket_perms is for connectionless sockets, and >>> create_stream_socket_perms is for connection-oriented sockets (eg >>> TCP and AF_UNIX/SOCK_STREAM [unix_stream_sockets]). >>> >>>>> Considering that, the patch might be best within the >>>>> rpc_domain_template() template, considering that it currently >>>>> reads: >>>>> >>>>> allow $1_t self:tcp_socket create_stream_socket_perms; allow >>>>> $1_t self:udp_socket create_socket_perms; >>>>> >>>>> so the second line might then be best changed to >>>>> create_stream_socket_perms. But I'll need to check first if >>>>> this is needed for nfsd_t and gssd_t too. >>> >>>> You can probably dontaudit this call. You should not need to >>>> listen to udp sockets, you could consider this a bug in the >>>> kernel for reporting it. >>>> >>>> >>>> Doing a grep through Fedora policy I see >>>> >>>> ./kernel/domain.te: dontaudit domain self:udp_socket >>>> listen; >>>> >>>> Meaning we just added a rule to tell the system to ignore these >>>> bogus AVC messages. >>> >>> It does sound like a bug, but I'd like to hear from the kernel >>> guys. (cc'd) >> >> I think the problem you are seeing is that we do the >> *_socket:listen access check in the kernel before we execute the >> protocol specific listen() function - for obvious reasons. In this >> case of tcp_socket:listen this is fine as TCP has a legitimate need >> for the listen() call. However, in the case of udp_socket:listen >> this results in some odd behavior since UDP does not support a >> listen call; in fact the protocol specific listen() function simply >> returns -EOPNOTSUPP. >> >> If this was really problematic we could put some logic in the >> socket_listen() hook but I'd like to avoid that if possible; it >> seems much cleaner to just use a dontaudit rule in policy. > > Sigh. I can do that as Dan does in the Fedora policy, though I hate > to waste kernel memory with rules that really shouldn't be needed. > If you want to save kernel memory, remove all policy that uses the "-" construct port_type -reserved_port_type; file_type -shadow_t; Cause tens of thousands of rules to be added to policy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5NGREACgkQrlYvE4MpobNljwCgxAfbCOhRumNpEG2BHfvcFUUF 7oAAoM+53R/ycw+5ennreKVOrCOiEITD =2Vtu -----END PGP SIGNATURE-----