Wiki

• FrontPage
• RecentChanges
• FindPage
• HelpContents
• BindPortRandomization

Background

In July 2008, the security team issued DSA-1603-1 against Etch (4.0) in response to CVE-2008-1447, a weakness in the DNS protocol. The update to bind9 sought to mitigate the problem of DNS answer spoofing and cache poisoning by introducing UDP source port randomization.

Problem Description

The version of the SELinux reference policy shipped with Etch restricts bind9 to binding UDP sockets only to port 53 (domain); this constraint presupposes a fixed outbound port. Bind9 is not permitted to bind a socket to any other port and so will generally be prevented from sending any outbound UDP packets via randomized ports. This represents a deficiency in refpolicy (Bug#490271), which had as of the bind9 update already been corrected in an upstream release.

As a consequence of this, SELinux-enabled systems running Debian Etch saw failures in bind9 with the bind reference policy module loaded. This module will be installed by default if refpolicy is installed after bind itself, and can be manually enabled at any time thereafter as well.

The most serious consequence of the incompatibility is that an affected bind9 server will be unable to make any outgoing DNS requests, effectively breaking forwarding DNS servers. Servers used soley as authoritative zone servers without need for recursion would be generally unaffected. Clients querying an affected forwarding server will receive immediate SERVFAIL responses.

Another observable symptom will be SELinux audit failures in the kernel log, such as this one:

Jul  8 11:58:10 hostname kernel: audit(1215543490.338:8584): avc:  denied  { name_bind } for  pid=32488 comm="named" src=20996 scontext=user_u:system_r:named_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

Correction

The problem was addressed by DSA-1617, which included the necessary correction to the bind policy, as well as a post-installation upgrade script to update a previously-loaded bind policy module when the package is installed.

Workaround

The problem can be effectively worked around by building and installing a policy module which permits bind to use arbitrary UDP ports.

The corrective policy module can be built two ways:

Using refpolicy-dev

1. Install the selinux-policy-refpolicy-dev package and its dependencies.

2. mkdir /etc/selinux/bind-workaround && cd /etc/selinux/bind-workaround

3. cat > bind_workaround.te {{{policy_module(bind_workaround, 1.0);

gen_require(`

• type named_t;

')

corenet_udp_bind_all_ports(named_t)}}}

4. cat > Makefile {{{include /usr/share/selinux/refpolicy-targeted/include/Makefile }}}

5. make

6. semodule -i bind_workaround.pp

Using a raw policy module

1. Install the policycoreutils and checkpolicy packages.

2. mkdir /etc/selinux/bind-workaround && cd /etc/selinux/bind-workaround

3. cat > bind_workaround.te {{{module bind_workaround 1.0;

require {

• class udp_socket name_bind; type named_t; type port_t; role system_r;

};

allow named_t port_t:udp_socket name_bind;}}}

4. checkmodule -M -m bind_workaround.te  -o bind_workaround.mod

5. semodule_package -m bind_workaround.mod -o bind_workaround.pp

6. semodule -i bind_workaround.pp