Bug 1402490

Summary: /usr/bin/rpcbind has wrong SELinux label
Product: [Fedora] Fedora Reporter: Richard Chan <rc556677>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: unspecified    
Version: 25CC: awilliam, dwalsh, eblake, ron, steved
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-08 18:52:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Richard Chan 2016-12-07 16:23:58 UTC 
Description of problem:
rpcbind.socket cannot start because /usr/bin/rpcbind has wrong SELinux label and unable to create socket /run/rpcbind.sock.

In 0.2.4 rpcbind binary has moved to /usr/bin from /usr/sbin; the SELinux label is set wrongly


Version-Release number of selected component (if applicable):
rpcbind.x86_64 0.2.4-0.fc25

How reproducible:
Always

Steps to Reproduce:
1. Upgrade to 0.2.4-0.fc25
2.
3.

Actual results:
rpcbind.socket: Failed to listen on sockets: Permission denied
Failed to listen on RPCbind Server Activation Socket.

Expected results:
Listening on RPCbind Server Activation Socket.

Additional info:
# ls -Z /usr/bin/rpcbind
system_u:object_r:bin_t:s0 /usr/bin/rpcbind

Downgrade to rpcbind-0.2.3-11.rc1.fc25

# ls -Z /usr/sbin/rpcbind
system_u:object_r:rpcbind_exec_t:s0 /usr/sbin/rpcbind
Comment 1 Richard Chan 2016-12-07 16:28:04 UTC 
Manual fix:

1. Upgrade to rpcbind.x86_64 0.2.4-0.fc25
2. Observe audit2allow -al:

#============= init_t ==============
allow init_t unconfined_service_t:unix_stream_socket create;

3. Fix label
chcon -t rpcbind_exec_t /usr/bin/rpcbind

4. systemctl restart rpcbind.socket
Listening on RPCbind Server Activation Socket.
Comment 2 Adam Williamson 2016-12-08 17:54:33 UTC 
Been seeing what looks like the same thing on our openQA boxes (recently updated to F25) and in some openQA tests.
Comment 3 Adam Williamson 2016-12-08 18:00:44 UTC 
So the binary moved from /usr/sbin to /usr/bin ; selinux-policy needs updating to apply the correct label to it now. In fact this has just a few hours ago been done:

https://github.com/fedora-selinux/selinux-policy/commit/a1f5dc42371849a2ab33ea0397c9e68c66c17afc

we just need package builds for Rawhide and F25.
Comment 4 Eric Blake 2016-12-08 18:42:28 UTC 
This may be a duplicate of bug 1402083
Comment 5 Adam Williamson 2016-12-08 18:52:43 UTC 
Yes, they probably are the same.

*** This bug has been marked as a duplicate of bug 1402083 ***