Bug 1448090
Summary: | [GANESHA] AVC denials for unreserved port observed while changing RQUOTA port in ganesha.conf file | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Manisha Saini <msaini> | |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | urgent | |||
Version: | 7.3 | CC: | amukherj, asrivast, fkrska, jthottan, lvrabec, mgrepl, mmalik, msaini, pdhange, plautrba, pvrabec, rhs-bugs, rnalakka, skoduri, ssekidde, storage-qa-internal | |
Target Milestone: | pre-dev-freeze | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1450038 1455236 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-01 15:26:23 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1450038, 1455236 |
Description
Manisha Saini
2017-05-04 13:52:56 UTC
On setting setsebool -P nis_enabled on ,No AVC's related to unreserved port were observed. And on restarting nfs-ganesha service, the ganesha process came up on node. I assumed that ganesha.conf file uses a non-default value of Rquota_Port. Following SELinux denial appears in permissive mode: ---- type=PROCTITLE msg=audit(05/17/2017 11:27:07.835:826) : proctitle=bash -c nc -u -6 -l ::1 8750 type=SOCKADDR msg=audit(05/17/2017 11:27:07.835:826) : saddr={ fam=inet6 laddr=::1 lport=8750 } type=SYSCALL msg=audit(05/17/2017 11:27:07.835:826) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x3 a1=0x658c60 a2=0x80 a3=0x7ffdad5b9440 items=0 ppid=1707 pid=5447 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=nc exe=/usr/bin/ncat subj=system_u:system_r:ganesha_t:s0 key=(null) type=AVC msg=audit(05/17/2017 11:27:07.835:826) : avc: denied { name_bind } for pid=5447 comm=nc src=8750 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=1 ---- Using a fake reproducer: # runcon system_u:system_r:ganesha_t:s0 bash -c 'nc -u -6 -l ::1 8750' Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |