SCTP accept problem
546 views
Skip to first unread message
Lui Yeung
Jul 16, 2013, 3:13:09 PM7/16/13
to mobicent...@googlegroups.com
When running jSS7 2.0 FINAL on Oracle Java 7 on RHEL 6, the following error log messages showed up when the SCTP server was about to accept an incoming SCTP connection request:
2013/07/12 17:54:10.720 ERROR (Thread-32) [org.mobicents.protocols.sctp.SelectorThread.run:162] Error while selecting the ready keys
java.net.SocketException: Permission denied
at sun.nio.ch.Net.localInetAddress(Native Method)
at sun.nio.ch.Net.localAddress(Net.java:389)
at sun.nio.ch.SctpChannelImpl.<init>(SctpChannelImpl.java:155)
at sun.nio.ch.SctpChannelImpl.<init>(SctpChannelImpl.java:141)
at sun.nio.ch.SctpServerChannelImpl.accept(SctpServerChannelImpl.java:241)
at org.mobicents.protocols.sctp.SelectorThread.acceptSctp(SelectorThread.java:191)
at org.mobicents.protocols.sctp.SelectorThread.accept(SelectorThread.java:181)
at org.mobicents.protocols.sctp.SelectorThread.run(SelectorThread.java:153)
at java.lang.Thread.run(Thread.java:722)
After this happened, netstat showed that the socket was in established state, but localFSMState and peerFSMState of the AS were both DOWN.
The problem went away after changing the SELinux mode to permissive (setenforce Permissive), with these new SELinux audit logs:
Jul 16 15:01:10 IPSPServer1 kernel: type=1400 audit(1374001270.260:52898): avc: denied { write } for pid=15316 comm="java" laddr=::ffff:138.120.54.224 lport=2905 faddr=::ffff:138.120.54.215 fport=2905 scontext=system_u:system_r:unconfined_java_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=rawip_socket
Jul 16 15:01:10 IPSPServer1 kernel: type=1400 audit(1374001270.260:52898): avc: denied { write } for pid=15316 comm="java" laddr=::ffff:138.120.54.224 lport=2905 faddr=::ffff:138.120.54.215 fport=2905 scontext=system_u:system_r:unconfined_java_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=rawip_socket
Jul 16 15:01:10 IPSPServer1 kernel: type=1400 audit(1374001270.262:52899): avc: denied { read } for pid=15316 comm="java" laddr=::ffff:138.120.54.224 lport=2905 faddr=::ffff:138.120.54.215 fport=2905 scontext=system_u:system_r:unconfined_java_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=rawip_socket
Jul 16 15:01:10 IPSPServer1 kernel: type=1400 audit(1374001270.262:52899): avc: denied { read } for pid=15316 comm="java" laddr=::ffff:138.120.54.224 lport=2905 faddr=::ffff:138.120.54.215 fport=2905 scontext=system_u:system_r:unconfined_java_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=rawip_socket
Have anyone seen this problem before? TCP associations (ipChannelType=1) did not have this problem.
2013/07/12 17:54:10.720 ERROR (Thread-32) [org.mobicents.protocols.sctp.SelectorThread.run:162] Error while selecting the ready keys
java.net.SocketException: Permission denied
at sun.nio.ch.Net.localInetAddress(Native Method)
at sun.nio.ch.Net.localAddress(Net.java:389)
at sun.nio.ch.SctpChannelImpl.<init>(SctpChannelImpl.java:155)
at sun.nio.ch.SctpChannelImpl.<init>(SctpChannelImpl.java:141)
at sun.nio.ch.SctpServerChannelImpl.accept(SctpServerChannelImpl.java:241)
at org.mobicents.protocols.sctp.SelectorThread.acceptSctp(SelectorThread.java:191)
at org.mobicents.protocols.sctp.SelectorThread.accept(SelectorThread.java:181)
at org.mobicents.protocols.sctp.SelectorThread.run(SelectorThread.java:153)
at java.lang.Thread.run(Thread.java:722)
After this happened, netstat showed that the socket was in established state, but localFSMState and peerFSMState of the AS were both DOWN.
The problem went away after changing the SELinux mode to permissive (setenforce Permissive), with these new SELinux audit logs:
Jul 16 15:01:10 IPSPServer1 kernel: type=1400 audit(1374001270.260:52898): avc: denied { write } for pid=15316 comm="java" laddr=::ffff:138.120.54.224 lport=2905 faddr=::ffff:138.120.54.215 fport=2905 scontext=system_u:system_r:unconfined_java_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=rawip_socket
Jul 16 15:01:10 IPSPServer1 kernel: type=1400 audit(1374001270.260:52898): avc: denied { write } for pid=15316 comm="java" laddr=::ffff:138.120.54.224 lport=2905 faddr=::ffff:138.120.54.215 fport=2905 scontext=system_u:system_r:unconfined_java_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=rawip_socket
Jul 16 15:01:10 IPSPServer1 kernel: type=1400 audit(1374001270.262:52899): avc: denied { read } for pid=15316 comm="java" laddr=::ffff:138.120.54.224 lport=2905 faddr=::ffff:138.120.54.215 fport=2905 scontext=system_u:system_r:unconfined_java_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=rawip_socket
Jul 16 15:01:10 IPSPServer1 kernel: type=1400 audit(1374001270.262:52899): avc: denied { read } for pid=15316 comm="java" laddr=::ffff:138.120.54.224 lport=2905 faddr=::ffff:138.120.54.215 fport=2905 scontext=system_u:system_r:unconfined_java_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=rawip_socket
Have anyone seen this problem before? TCP associations (ipChannelType=1) did not have this problem.
Amit Bhayani
Jul 21, 2013, 4:46:51 AM7/21/13
to mobicents-public
Never seen this before but looks like permission issues
Amit.
--
You received this message because you are subscribed to the Google Groups "mobicents-public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mobicents-publ...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Lazoir
Jul 28, 2013, 8:50:13 AM7/28/13
to mobicent...@googlegroups.com
hi Lui,
try to disable SElinux on your IOS. after restart it will work .
Dimuthu Darshana
Jul 7, 2014, 7:46:23 AM7/7/14
to mobicent...@googlegroups.com
I had the same issue at the sctp server side. I got it solved perfectly, by below steps.
1) Backed up /etc/sysconfig/selinux file.
2) Edited /etc/sysconfig/selinux like below.(selinux=security enhanced linux)
Before
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
After
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
3) restarted linux server via below command.
/sbin/reboot
Reply all
Reply to author
Forward
0 new messages