Bug 201671

Summary: rpc.mountd won't start when nss_ldap configured with TLS
Product: [Fedora] Fedora Reporter: darkness <darkness-keyword-redhat.2bd9c5>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-03-28 20:05:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description darkness 2006-08-08 06:39:11 UTC 
Description of problem:
When nss_ldap is configured for the services database, and nss_ldap is
instructed to use SSL/TLS, rpc.mountd fails to start because it cannot
access /dev/random and/or /dev/urandom.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.3.3-8.fc5
nfs-utils-1.0.8-2.fc5

How reproducible:
Consistently

Steps to Reproduce:
1. Configure nss_ldap to use SSL/TLS (I'm using "ssl start_tls" in
   /etc/ldap.conf).
2. Configure the services database to use LDAP: "services: files ldap"
   in /etc/nsswitch.conf.
3. Run rpc.mountd.
  
Actual results:
rpc.mountd hangs, messages in /var/log/messages:

Aug 8 02:30:47 foo mountd[11031]: nss_ldap: reconnecting to LDAP
server (sleeping 4 seconds)...

SELinux audit messages:

audit(1155018584.459:6336): avc: denied { read } for pid=11002
comm="rpc.mountd" name="urandom" dev=tmpfs ino=2730
scontext=user_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file

audit(1155018584.459:6337): avc: denied { read } for pid=11002
comm="rpc.mountd" name="random" dev=tmpfs ino=2723
scontext=user_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file

audit(1155018647.383:6340): avc: denied { getattr } for pid=11031
comm="rpc.mountd" name="urandom" dev=tmpfs ino=2730
scontext=user_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file

audit(1155018647.383:6341): avc: denied { getattr } for pid=11031
comm="rpc.mountd" name="random" dev=tmpfs ino=2723
scontext=user_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file


Expected results:
rpc.mountd starts immediately.

Additional info:

The "denied { getattr }" messages only appear after I've made an
SELinux module to allow read on random/urandom.

Using the following policy module allowed rpc.mountd to start here:

    module mountd_fix 1.1;

    require {
            class chr_file { getattr read };
            type nfsd_t;
            type random_device_t;
            type urandom_device_t;
            role system_r;
    };

    allow nfsd_t random_device_t:chr_file { getattr read };
    allow nfsd_t urandom_device_t:chr_file { getattr read };
Comment 1 Daniel Walsh 2006-08-22 13:42:28 UTC 
Fixed in selinux-policy-2.3.7-2.fc5
Comment 2 Daniel Walsh 2006-08-22 14:19:29 UTC 
Change to modified
Comment 3 Daniel Walsh 2007-03-28 20:05:08 UTC 
Closing bugs