Bug 1206125

Summary: when SLP support is enabled in ypserv then ypserv service triggers AVCs
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: low    
Version: 7.1CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-32.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 10:27:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2015-03-26 11:25:06 UTC 
Description of problem:
 * the SLP support is by default disabled, which means that these AVCs do not usually appear

Version-Release number of selected component (if applicable):
selinux-policy-sandbox-3.13.1-23.el7.noarch
selinux-policy-devel-3.13.1-23.el7.noarch
selinux-policy-doc-3.13.1-23.el7.noarch
selinux-policy-mls-3.13.1-23.el7.noarch
selinux-policy-minimum-3.13.1-23.el7.noarch
selinux-policy-targeted-3.13.1-23.el7.noarch
selinux-policy-3.13.1-23.el7.noarch

How reproducible:
always

Steps to Reproduce:
# grep ^slp /etc/ypserv.conf 
slp: domain
slp_timeout: 10
# service ypserv start
# search for AVCs

Actual results (enforcing mode):
----
type=SYSCALL msg=audit(03/26/2015 07:14:33.540:301557) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x7 a1=0x7fffe877be00 a2=0x10 a3=0x0 items=0 ppid=1 pid=18712 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ypserv exe=/usr/sbin/ypserv subj=system_u:system_r:ypserv_t:s0 key=(null) 
type=AVC msg=audit(03/26/2015 07:14:33.540:301557) : avc:  denied  { connect } for  pid=18712 comm=ypserv lport=665 scontext=system_u:system_r:ypserv_t:s0 tcontext=system_u:system_r:ypserv_t:s0 tclass=tcp_socket 
----

Actual results (permissive mode):
----
type=SYSCALL msg=audit(03/26/2015 07:15:22.037:301767) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x7 a1=0x7fff97645120 a2=0x10 a3=0x0 items=0 ppid=1 pid=21316 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ypserv exe=/usr/sbin/ypserv subj=system_u:system_r:ypserv_t:s0 key=(null) 
type=AVC msg=audit(03/26/2015 07:15:22.037:301767) : avc:  denied  { name_connect } for  pid=21316 comm=ypserv dest=111 scontext=system_u:system_r:ypserv_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket 
type=AVC msg=audit(03/26/2015 07:15:22.037:301767) : avc:  denied  { connect } for  pid=21316 comm=ypserv lport=41551 scontext=system_u:system_r:ypserv_t:s0 tcontext=system_u:system_r:ypserv_t:s0 tclass=tcp_socket 
----

Expected results:
 * no AVCs
Comment 1 Milos Malik 2015-03-26 11:36:17 UTC 
# rpm -qa yp\*
ypbind-1.37.1-7.el7.x86_64
ypserv-2.31-8.el7.x86_64
yp-tools-2.14-3.el7.x86_64
#
Comment 2 Lukas Vrabec 2015-07-09 12:50:34 UTC 
commit 8d4143da48d04104f48c60d7f99ce390dfdbd74c
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 9 14:47:34 2015 +0200

    Allow connect ypserv to portmap_port_t.
Comment 6 errata-xmlrpc 2015-11-19 10:27:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html