Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 164165 - enabling SELinux prevents Java app from using TCP sockets
Summary: enabling SELinux prevents Java app from using TCP sockets
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 4
Hardware: i386
OS: Linux
medium
low
Target Milestone: ---
Assignee: James Morris
QA Contact: Brian Brock
URL:
Whiteboard:
: 163006 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-25 15:37 UTC by Igor Wawrzyniak
Modified: 2007-11-30 22:11 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-08-30 01:52:23 UTC


Attachments (Terms of Use)
strace log from both working and not working configuration (deleted)
2005-07-25 15:39 UTC, Igor Wawrzyniak
no flags Details
Fix addrlen checks in selinux_socket_connect (deleted)
2005-07-28 13:33 UTC, Stephen Smalley
no flags Details | Diff

Description Igor Wawrzyniak 2005-07-25 15:37:17 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6

Description of problem:
The Java app I'm using can't use TCP sockets when SELinux is enabled. It happens regardless of the mode (permissive or enforcing) or policy (strict or targeted). No message appears in syslog. I was told on fedora-selinux mailing list that it's possibly a bug in the kernel and I should report it here. Simply rebooting the system with SELinux disabled makes the app work, enabling SELinux makes the problem occur again.

The bug seems to be triggered by very specific software configuration: the app I'm using and specific JRE versions (with some JREs the app is running fine). Unfortunately, the app is not free, so if you need more information you have to ask me.

I run the app using strace with SELinux disabled and enabled. The relevant part of strace log is attached.

Version-Release number of selected component (if applicable):
kernel-2.6.12-1.1398_FC4 and kernel-2.6.11-1.1398_FC4

How reproducible:
Always

Steps to Reproduce:
1) Run the app
2) Enter IP address of the server


Actual Results:  Error message "cannot assign requested address". See strace log for more details.

Expected Results:  The app should connect to server using TCP. See strace log for more details.

Additional info:

Comment 1 Igor Wawrzyniak 2005-07-25 15:39:04 UTC
Created attachment 117123 [details]
strace log from both working and not working configuration

Comment 2 Stephen Smalley 2005-07-28 12:56:18 UTC
selinux_socket_connect (security/selinux/hooks.c) checks the addrlen prior
to extracting the port number for the name_connect permission check.  In the
INET6 case, it compares it with sizeof(struct sockaddr_in6) and returns -EINVAL
if it doesn't match.  Per the strace log, the passed in size to connect(2) was
only 24, but sizeof(struct sockaddr_in6) on x86 is 28.  Is passing in a shorter
addrlen legal?

Comment 3 James Morris 2005-07-28 13:00:55 UTC
Are you able to provide the source to the section of code being traced here?

Comment 4 Stephen Smalley 2005-07-28 13:05:37 UTC
Ah, I see.  tcp_v6_connect only requires addrlen to be >= SIN6_LEN_RFC2133, which
is 24.  tcp_v4_connect requires addrlen to be >= sizeof(sockaddr_in).

selinux_socket_connect needs to be fixed accordingly.

Comment 5 Igor Wawrzyniak 2005-07-28 13:17:44 UTC
(In reply to comment #3)
> Are you able to provide the source to the section of code being traced here?

I'll try, but it'll take a few days.

Comment 6 Stephen Smalley 2005-07-28 13:23:41 UTC
I don't think source is needed; the bug lies in selinux_socket_connect imposing
greater restrictions on addrlen than the underlying ipv6 code does.  Also, the
check in the ipv4 case should be weakened to not require strict equality; we
should just be consistent with the underlying ipv4 code there.

Comment 7 Stephen Smalley 2005-07-28 13:33:09 UTC
Created attachment 117228 [details]
Fix addrlen checks in selinux_socket_connect

Comment 8 James Morris 2005-07-28 16:23:45 UTC
(In reply to comment #7)
> Created an attachment (id=117228) [edit]
> Fix addrlen checks in selinux_socket_connect
> 

Looks good to me.

Comment 9 Stephen Smalley 2005-07-28 20:20:59 UTC
Ok, submitted to Andrew Morton and lkml.

Comment 10 Igor Wawrzyniak 2005-07-29 08:20:26 UTC
(In reply to comment #7)
> Created an attachment (id=117228) [edit]
> Fix addrlen checks in selinux_socket_connect

It works. Thanks.

Comment 11 Dave Jones 2005-08-03 22:22:21 UTC
fixed in cvs.


Comment 12 Archit Shah 2005-08-25 19:50:23 UTC
*** Bug 163006 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.