Bug 1983604

Summary: avc: denied { name_bind } for pid=560797 comm="rpcbind" src=64008 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:traceroute_port_t:s0 tclass=udp_socket permissive=1
Product: [Fedora] Fedora Reporter: Bruno Goncalves <bgoncalv>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-19 09:59:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bruno Goncalves 2021-07-19 08:10:32 UTC 
Description of problem:
During CKI xfstests - nfsv4.2 [1] we hit this avc issue:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-34.14-1.fc35.noarch
----
time->Sat Jul 17 11:06:29 2021
type=AVC msg=audit(1626534389.922:893): avc:  denied  { name_bind } for  pid=560797 comm="rpcbind" src=64008 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:traceroute_port_t:s0 tclass=udp_socket permissive=1


Version-Release number of selected component (if applicable):
selinux-policy-34.14-1.fc35.noarch

How reproducible:
We've hit this only once so far.

Steps to Reproduce:
1. Run the test [1] setting TEST_PARAM_FSTYPE=nfs4


Additional info:
[1] https://gitlab.com/cki-project/kernel-tests/-/tree/main/filesystems/xfs/xfstests
Comment 2 Ben Cotton 2021-08-10 13:13:44 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 35 development cycle.
Changing version to 35.
Comment 3 Bruno Goncalves 2022-04-22 11:22:23 UTC 
Still reproducible on Rawhide

type=AVC msg=audit(1650608280.922:873): avc:  denied  { name_bind } for  pid=897864 comm="rpcbind" src=63924 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=1

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-36.6-1.fc37.noarch
Comment 4 Bruno Goncalves 2022-04-22 12:58:17 UTC 
Full audit

time->Fri Apr 22 08:56:18 2022
type=PROCTITLE msg=audit(1650632178.843:878): proctitle=2F7573722F62696E2F72706362696E64002D77002D66
type=SOCKADDR msg=audit(1650632178.843:878): saddr=0A00F315000000000000000000000000000000000000000000000000
type=SYSCALL msg=audit(1650632178.843:878): arch=c000003e syscall=49 success=yes exit=0 a0=b a1=7ffea561a210 a2=1c a3=7ffea561a118 items=0 ppid=1 pid=726458 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpcbind" exe="/usr/bin/rpcbind" subj=system_u:system_r:rpcbind_t:s0 key=(null)
type=AVC msg=audit(1650632178.843:878): avc:  denied  { name_bind } for  pid=726458 comm="rpcbind" src=62229 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=1
Comment 5 Ben Cotton 2022-08-09 13:11:51 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 37 development cycle.
Changing version to 37.
Comment 6 Bruno Goncalves 2022-11-11 13:29:48 UTC 
it still seem to be reproducible on Rawhide.


SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-37.14-1.fc38.noarch
----
time->Fri Nov 11 07:03:55 2022
type=AVC msg=audit(1668168235.324:1082): avc:  denied  { name_bind } for  pid=636213 comm="rpcbind" src=64007 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:traceroute_port_t:s0 tclass=udp_socket permissive=1

https://datawarehouse.cki-project.org/kcidb/tests/5934260
Comment 7 Zdenek Pytela 2022-12-19 09:59:22 UTC 

*** This bug has been marked as a duplicate of bug 1758147 ***