Bug 1401815

Summary: Wrong SELinux context for /var/run/rpcbind.sock and /var/run/rpcbind.lock
Product: [Fedora] Fedora Reporter: Alexander Ploumistos <alex.ploumistos>
Component: rpcbindAssignee: Steve Dickson <steved>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 25CC: mike, steved
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-07 13:40:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexander Ploumistos 2016-12-06 08:03:42 UTC 
Hi,
I don't know which component is at fault here - selinux-policy or rpcbind - but ever since the selinux-policy-3.13.1-225.fc25 update, I've been getting SELinux denials at boot, because rpcbind.sock does not have the expected context:

Dec 06 09:44:32 setroubleshoot[1251]: SELinux is preventing rpc.mountd from write access on the sock_file rpcbind.sock. For complete SELinux messages. run sealert -l 6c76b5b3-c506-40a7-9d62-dc19227283d7
Dec 06 09:44:32 python3[1251]: SELinux is preventing rpc.mountd from write access on the sock_file rpcbind.sock.

# matchpathcon -V /var/run/rpc*
/var/run/rpcbind verified.
/var/run/rpcbind.lock has context system_u:object_r:var_run_t:s0, should be system_u:object_r:rpcbind_var_run_t:s0
/var/run/rpcbind.sock has context system_u:object_r:var_run_t:s0, should be system_u:object_r:rpcbind_var_run_t:s0

I can set the expected context with restorecon, but at the next reboot the socket file will be recreated with the default var_run_t.

If you think this should be addressed by the SELinux folks (same result with selinux-policy-3.13.1-225.1.fc25), please feel free to change the assigned component. I currently have rpcbind-0.2.4-0.fc25.x86_64.
Comment 1 W. Michael Petullo 2016-12-07 03:48:08 UTC 
I use autofs to automatically mount NFS shares, and I seem to be affected by this bug too. If I run "ls /some/autofs/mount/point" I find that the kernel logs the following:

type=AVC msg=audit(1481082148.750:248): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1481082148.750:249): avc:  denied  { setopt } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1481082148.751:250): avc:  denied  { bind } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1481082148.752:251): avc:  denied  { listen } for  pid=1 comm="systemd" path="/run/rpcbind.sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1481082148.752:252): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1481082148.752:253): avc:  denied  { setopt } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1481082148.752:254): avc:  denied  { bind } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1481082148.752:255): avc:  denied  { listen } for  pid=1 comm="systemd" lport=111 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1481082148.752:256): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=udp_socket permissive=1
type=AVC msg=audit(1481082148.753:257): avc:  denied  { setopt } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=udp_socket permissive=1
type=AVC msg=audit(1481082148.753:258): avc:  denied  { bind } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=udp_socket permissive=1

I am running selinux-policy-3.13.1-224.fc25.noarch.
Comment 2 Steve Dickson 2016-12-07 13:40:36 UTC 

*** This bug has been marked as a duplicate of bug 1402083 ***