Bug 1559324
| Summary: | rpcbind: svc_tli_create: could not bind to anonymous port (due to SELinux policy) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Martin Pitt <mpitt> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 29 | CC: | dwalsh, jorti, lvrabec, orion, plautrba, steved |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-05-15 21:16:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Steve, Does rpcbind binding on random port or port 63890 is somewhere defined? Thanks, Lukas. (In reply to Lukas Vrabec from comment #2) > Steve, > > Does rpcbind binding on random port or port 63890 is somewhere defined? Sorry for the delay response... I've been traveling Yes, rpcbind opens a random listening port for its remote calls support, where rpcbind makes an RPC call for a remote client. It is an ancient interface that was that Netapp (and I believe SUN) remove it years ago. There has been some recent discussion about adding a command line argument to turn it off... So opening that port is causing the SELinux denials? *** Bug 1563792 has been marked as a duplicate of this bug. *** Quite late, but yes, openening random ports causing SELinux denials. This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. This works on Fedora 29 and 30. Sorry, it still fails on Fedora 30, recent example: https://209.132.184.41:8493/logs/pull-11733-20190503-090101-b85fe2a8-container-kubernetes/log.html#18 Correction, that log is Fedora 29. Hi Steve, The main issue here is that rpcbind choosed port 63890 and this port is labeled as unreserved_port_t. rpcbind cannot bind on unreserved_port_t. I read in comment#3 that this is some leftover from old functionality, does it make sense to support it? THanks, Lukas. (In reply to Lukas Vrabec from comment #11) > Hi Steve, > > The main issue here is that rpcbind choosed port 63890 and this port is > labeled as unreserved_port_t. rpcbind cannot bind on unreserved_port_t. > > I read in comment#3 that this is some leftover from old functionality, does > it make sense to support it? > > THanks, > Lukas. This problem was fixed in Fedora 29 due to this commit commit 2e9c289246c647e25649914bdb0d9400c66f486e (tag: pcbind-0_2_5-rc4) Author: Steve Dickson <steved> Date: Wed Aug 15 10:22:36 2018 -0400 rpcbind: Disable remote calls by default Added a new configuration flag --enable-rmtcalls which will be needed to enable the remote call functionality. This also stops rpcbind from opening up random listening ports. Signed-off-by: Steve Dickson <steved> So an older rpcbind must being used. |
Description of problem: In current Fedora 28, rpcbind.service can't bind its port as the SELinux policy denies it. Version-Release number of selected component (if applicable): rpcbind-0.2.4-10.rc3.fc28.x86_64 selinux-policy-targeted-3.14.1-14.fc28.noarch selinux-policy-3.14.1-14.fc28.noarch How reproducible: Always Steps to Reproduce: 1. systemctl start rpcbind 2. systemctl status rpcbind Actual results: rpcbind.service starts, but logs an error: rpcbind[1446]: rpcbind: svc_tli_create: could not bind to anonymous port During that, this SELinux denial gets logged: audit: type=1400 audit(1521712389.010:254): avc: denied { name_bind } for pid=1446 comm="rpcbind" src=63890 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 Expected results: Service starts cleanly without any SELinux denials If this restriction is intentioal, rpcbind should be configured appropriately; otherwise please reassign this to selinux-policy to get it allowed.