Bug 196719

Summary: selinux blocks NFS, ntp and probably others
Product: [Fedora] Fedora Reporter: Doug Chapman <dchapman>
Component: kernelAssignee: James Morris <jmorris>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: high    
Version: rawhideCC: dwalsh, orion, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-09-18 19:42:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Doug Chapman 2006-06-26 17:52:37 UTC
Description of problem:

I am seeing this on my HP Integrity ia64 servers.

Running 2.6.17-1.2307_FC6 with selinux enabled makes the system almost unusable.
 At the very least ntp and NFS are broken.  ntpd is unable to connect to any
servers and an nfs mount command just hangs.  All problems go away if I boot
with selinux=0.


Console messages when ntp is running:
audit(1151342374.831:38): avc:  denied  { send } for  pid=1899 comm="ntpd"
saddr=10.12.11.11 src=123 daddr=172.16.52.228 dest=123 netif=eth0
scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet

Console messages when I try to do an NFS mount:
audit(1151342520.126:42): avc:  denied  { recv } for  pid=2252 comm="mount"
saddr=127.0.0.1 src=1023 daddr=127.0.0.1 dest=111 netif=lo
scontext=system_u:system_r:portmap_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet


Other messages seen during bootup complain about: avahi-daemon and rpc.statd


Version-Release number of selected component (if applicable):
kernel-2.6.17-1.2307_FC6
rawhide-20060626

How reproducible:
100%

Steps to Reproduce:
1. run with selinux enabled
2. not vaious audit "denied" messages
3. try doing an nfs mount

Comment 1 Jay Cliburn 2006-06-27 14:18:20 UTC
Me too.  I see it on an i386.  It also prevents outbound smtp traffic.

Jun 25 04:26:44 gadwall kernel: audit(1151227604.199:29): avc:  denied  { send }
for \
pid=28419 comm="smtp" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 \
netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 \
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet

Jun 25 04:26:47 gadwall kernel: audit(1151227607.199:30): avc:  denied  { send }
for  \
pid=28697 comm="makewhatis" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 \
netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 \
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet

Jun 25 04:26:53 gadwall kernel: audit(1151227613.199:31): avc:  denied  { send }
for  \
pid=29189 comm="gawk" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 \
netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 \
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet

Jun 25 04:27:05 gadwall kernel: audit(1151227625.200:32): avc:  denied  { send }
for  \
pid=30221 comm="gawk" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 \
netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 \
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet

Comment 2 Orion Poplawski 2006-06-30 21:59:24 UTC
Still seeing with 2.6.17-1.2336.fc6 on i386.  Affects NIS and cups as well.


Comment 3 Orion Poplawski 2006-07-06 16:07:47 UTC
Things seem somewhat better with 2.6.17-1.2356.fc6.  At least ypbind can start
and NFS mounts stuff.  Still see lots of avc messages though:

audit(1152202124.462:9): avc:  denied  { send } for  pid=2153 comm="syslogd"
saddr=192.168.0.91 src=32768 daddr=192.168.0.8 dest=53 netif=eth0
scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202124.466:10): avc:  denied  { recv } for  saddr=192.168.0.8 src=53
daddr=192.168.0.91 dest=32768 netif=eth0 scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202125.566:11): avc:  denied  { send } for  pid=2197 comm="rpc.statd"
saddr=127.0.0.1 src=678 daddr=127.0.0.1 dest=111 netif=lo
scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
audit(1152202125.566:12): avc:  denied  { recv } for  pid=2197 comm="rpc.statd"
saddr=127.0.0.1 src=678 daddr=127.0.0.1 dest=111 netif=lo
scontext=system_u:system_r:portmap_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202125.566:13): avc:  denied  { send } for  pid=2178 comm="portmap"
saddr=127.0.0.1 src=111 daddr=127.0.0.1 dest=678 netif=lo
scontext=system_u:system_r:portmap_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202125.566:14): avc:  denied  { recv } for  pid=2178 comm="portmap"
saddr=127.0.0.1 src=111 daddr=127.0.0.1 dest=678 netif=lo
scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
audit(1152202127.171:15): avc:  denied  { send } for  pid=2330 comm="ypbind"
saddr=127.0.0.1 src=810 daddr=127.0.0.1 dest=111 netif=lo
scontext=system_u:system_r:ypbind_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
audit(1152202127.171:16): avc:  denied  { recv } for  pid=2178 comm="portmap"
saddr=127.0.0.1 src=111 daddr=127.0.0.1 dest=810 netif=lo
scontext=system_u:system_r:ypbind_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
audit(1152202127.467:17): avc:  denied  { send } for  pid=2352 comm="automount"
saddr=192.168.0.91 src=832 daddr=192.168.0.8 dest=696 netif=eth0
scontext=system_u:system_r:automount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202127.475:18): avc:  denied  { recv } for  saddr=192.168.0.8 src=696
daddr=192.168.0.91 dest=832 netif=eth0 scontext=system_u:system_r:automount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202129.867:19): avc:  denied  { send } for  pid=2410 comm="cupsd"
saddr=192.168.0.91 src=890 daddr=192.168.0.8 dest=696 netif=eth0
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202129.867:20): avc:  denied  { recv } for  saddr=192.168.0.8 src=696
daddr=192.168.0.91 dest=890 netif=eth0
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202130.207:21): avc:  denied  { send } for  pid=2153 comm="syslogd"
saddr=192.168.0.91 src=514 daddr=192.168.0.8 dest=514 netif=eth0
scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202130.327:22): avc:  denied  { send } for  pid=2430 comm="ntpd"
saddr=192.168.0.91 src=910 daddr=192.168.0.8 dest=696 netif=eth0
scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
audit(1152202130.343:23): avc:  denied  { recv } for  saddr=192.168.0.8 src=696
daddr=192.168.0.91 dest=910 netif=eth0 scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202131.535:24): avc:  denied  { send } for  pid=2513 comm="xfs"
saddr=192.168.0.91 src=58537 daddr=192.168.0.8 dest=111 netif=eth0
scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
audit(1152202131.535:25): avc:  denied  { recv } for  saddr=192.168.0.8 src=111
daddr=192.168.0.91 dest=58537 netif=eth0 scontext=system_u:system_r:xfs_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202132.267:26): avc:  denied  { send } for  pid=2605
comm="avahi-daemon" saddr=192.168.0.91 src=46111 daddr=192.168.0.8 dest=111
netif=eth0 scontext=system_u:system_r:avahi_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202132.267:27): avc:  denied  { recv } for  saddr=192.168.0.8 src=111
daddr=192.168.0.91 dest=46111 netif=eth0 scontext=system_u:system_r:avahi_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202132.535:28): avc:  denied  { send } for  pid=2249
comm="dbus-daemon" saddr=192.168.0.91 src=51225 daddr=192.168.0.8 dest=111
netif=eth0 scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202132.539:29): avc:  denied  { recv } for  pid=15 comm="kblockd/0"
saddr=192.168.0.8 src=111 daddr=192.168.0.91 dest=51225 netif=eth0
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202132.667:30): avc:  denied  { recv } for  pid=2610
comm="S98haldaemon" saddr=192.168.0.8 src=53 daddr=192.168.0.91 dest=32768
netif=eth0 scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202132.667:31): avc:  denied  { send } for  pid=2430 comm="ntpd"
saddr=192.168.0.91 src=32772 daddr=192.168.0.8 dest=53 netif=eth0
scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
audit(1152202132.759:32): avc:  denied  { send } for  pid=2605
comm="avahi-daemon" saddr=192.168.0.91 src=5353 daddr=224.0.0.251 dest=5353
netif=eth0 scontext=system_u:system_r:avahi_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202132.759:33): avc:  denied  { recv } for  pid=2605
comm="avahi-daemon" saddr=192.168.0.91 src=5353 daddr=224.0.0.251 dest=5353
netif=eth0 scontext=system_u:system_r:avahi_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202138.119:34): avc:  denied  { recv } for  pid=2651 comm="xkbcomp"
saddr=192.168.0.9 src=631 daddr=192.168.0.255 dest=631 netif=eth0
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202145.472:35): avc:  denied  { send } for  pid=2249
comm="dbus-daemon" saddr=192.168.0.91 src=46610 daddr=192.168.0.8 dest=111
netif=eth0 scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202145.472:36): avc:  denied  { recv } for  saddr=192.168.0.8 src=111
daddr=192.168.0.91 dest=46610 netif=eth0
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202147.208:39): avc:  denied  { send } for  pid=2334 comm="ypbind"
saddr=192.168.0.91 src=818 daddr=192.168.0.8 dest=696 netif=eth0
scontext=system_u:system_r:ypbind_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
audit(1152202147.208:40): avc:  denied  { recv } for  pid=2756 comm="X"
saddr=192.168.0.8 src=696 daddr=192.168.0.91 dest=818 netif=eth0
scontext=system_u:system_r:ypbind_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
audit(1152202152.576:41): avc:  denied  { recv } for  pid=2788 comm="kdm_greet"
saddr=192.168.0.249 src=5353 daddr=224.0.0.251 dest=5353 netif=eth0
scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
audit(1152202153.132:42): avc:  denied  { recv } for  saddr=192.168.0.76
src=33384 daddr=192.168.0.255 dest=111 netif=eth0
scontext=system_u:system_r:portmap_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202154.124:43): avc:  denied  { recv } for  saddr=192.168.0.9 src=631
daddr=192.168.0.255 dest=631 netif=eth0
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202156.592:44): avc:  denied  { recv } for  saddr=192.168.0.9 src=123
daddr=192.168.0.255 dest=123 netif=eth0 scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202177.153:45): avc:  denied  { send } for  pid=2153 comm="syslogd"
saddr=192.168.0.91 src=514 daddr=192.168.0.8 dest=514 netif=eth0
scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202187.214:46): avc:  denied  { send } for  pid=2334 comm="ypbind"
saddr=192.168.0.91 src=818 daddr=192.168.0.8 dest=696 netif=eth0
scontext=system_u:system_r:ypbind_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
audit(1152202187.214:47): avc:  denied  { recv } for  saddr=192.168.0.8 src=696
daddr=192.168.0.91 dest=818 netif=eth0 scontext=system_u:system_r:ypbind_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202195.738:48): avc:  denied  { recv } for  saddr=192.168.0.85
src=34325 daddr=192.168.0.255 dest=111 netif=eth0
scontext=system_u:system_r:portmap_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202199.326:49): avc:  denied  { send } for  pid=2430 comm="ntpd"
saddr=192.168.0.91 src=123 daddr=202.124.17.10 dest=123 netif=eth0
scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
audit(1152202246.457:50): avc:  denied  { send } for  pid=2847 comm="automount"
saddr=192.168.0.91 src=840 daddr=192.168.0.8 dest=696 netif=eth0
scontext=system_u:system_r:automount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202246.457:51): avc:  denied  { recv } for  saddr=192.168.0.8 src=696
daddr=192.168.0.91 dest=840 netif=eth0 scontext=system_u:system_r:automount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202246.489:52): avc:  denied  { send } for  pid=2848 comm="mount"
saddr=192.168.0.91 src=904 daddr=192.168.0.8 dest=696 netif=eth0
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
audit(1152202246.489:53): avc:  denied  { recv } for  saddr=192.168.0.8 src=696
daddr=192.168.0.91 dest=904 netif=eth0 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1152202246.673:54): avc:  denied  { send } for  pid=2178 comm="portmap"
saddr=127.0.0.1 src=111 daddr=127.0.0.1 dest=785 netif=lo
scontext=system_u:system_r:portmap_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet


Comment 4 Daniel Walsh 2006-09-18 19:42:12 UTC
Fixed in selinux-policy-2.3.14-3