udp bind() fails with EACCESS when selinux enforcing, but no auditmessages

From: Enrique Perez-Terron
Date: Thu Sep 11 2008 - 12:03:25 EST

Fedora core 9 stock kernel i586

Udp bind() fails with EACCESS when selinux enforcing, but no audit

How to reproduce:

In startup scripts, configure rpc.statd to use the fixed port 34.
This port does not occur in /etc/services
(In /etc/sysconfig/nfs, STATD_PORT=34)

Write the following script, run it with bash -x.


mkdir $TESTDIR # to hold about 50 files

# Stop NFS:
service nfs stop
service nfslock stop

# Gather some baseline data for easy comparison
echo 1 /selinux/enforce # just in case
dmesg > dmesg-enforc-before
wc /var/log/audit/audit.log > audit-enforc-before

# This fails
strace -o enforc -ff service nfslock start

# But no new messages in logs
dmesg > dmesg-enforc-after
wc /var/log/audit/audit.log > audit-enforc-after

# Try again in permissive mode
echo 0 /selinux/enforce
dmesg > dmesg-nonenf-before
wc /var/log/audit/audit.log > audit-nonenf-before

# Since this works, daemon starts, and strace hangs on
# Need sigkill; sigint does not work. Why?
(sleep 5; killall -9 strace) &
strace -o nonenf -ff service nfslock start

# Just for symmetry
dmesg > dmesg-nonenf-after
wc /var/log/audit/audit.log > audit-nonenf-after

# Check that there are no audits.
diff dmesg-enforc-before dmesg-enforc-after
diff audit-enforc-before audit-enforc-after

# There are several other calls to bind() that are not prevented
grep -E '^bind|^socket' enforc.*
grep -E '^bind|^socket' nonenf.*


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/