Bug 205771

Summary: avc errors when running portmap
Product: [Fedora] Fedora Reporter: Bill Peck <bpeck>
Component: nfs-utilsAssignee: Steve Dickson <steved>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-09-13 17:06:27 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Bill Peck 2006-09-08 09:00:54 EDT
Description of problem:

The multihost connectahon testsuite is passing for both client and server on
rawhide-20060908, but when running as the server I am seeing avc error messages
from running portmap.

http://rhts.lab.boston.redhat.com/cgi-bin/rhts/test_log.cgi?id=815552

Version-Release number of selected component (if applicable):
rawhide-20060908
kernel-2.6.17-1.2630.fc6.i686
nfs-utils-1.0.9-5.fc6.i386

How reproducible:
Everytime

Additional info:
This also happens with the RHEL5 Beta

device eth1 left promiscuous mode
audit(1157717260.967:99): dev=eth1 prom=0 old_prom=256 auid=4294967295
audit(1157717278.228:100): avc:  denied  { append } for  pid=5049 comm="portmap"
name="tmp.Tf4985" dev=sda2 ino=362932 scontext=system_u:system_r:portmap_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
audit(1157717278.340:101): avc:  denied  { append } for  pid=5049 comm="portmap"
name="tmp.Tf4985" dev=sda2 ino=362932 scontext=system_u:system_r:portmap_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
SELinux: initialized (dev nfsd, type nfsd), uses genfs_contexts
NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory
NFSD: starting 90-second grace period
Comment 1 Daniel Walsh 2006-09-08 09:20:41 EDT
Is portmap actually trying to write to a tmp file created in init?  Or is this
tmp file just grabbing STDOUT, and therefor portmap tries to talk to the TTY and
this gets caught.  If it is the second, it can probably be ignored since this
will only happen in the test scenario.
Comment 2 Steve Dickson 2006-09-10 12:09:30 EDT
Dan,

any clue?
Comment 3 Daniel Walsh 2006-09-11 11:11:41 EDT
Yes, read Comment #1
Comment 4 Steve Dickson 2006-09-12 15:46:08 EDT
the portmapper is opening /dev/null then dups stdin, stdout, and stderr
iff the open is successful... which in this case it appears the open
fails... so this is not fatal but its seems a bit over kill to stop
process from opening /dev/null... imho... 
Comment 5 Bill Peck 2006-09-12 16:21:21 EDT
steved: are you sure?

I ended up changing the test as follows:

service portmap start | cat > $OUTPUTFILE 2>&1

this stops the avc message from appearing.
Comment 6 Steve Dickson 2006-09-13 12:21:59 EDT
The following routine is called like daemon(0,0) from main():

#define _PATH_DEVNULL   "/dev/null"
daemon(nochdir, noclose)
    int nochdir, noclose;
{
    int cpid;

    if ((cpid = fork()) == -1)
        return (-1);
    if (cpid)
        exit(0);
    (void) setsid();
    if (!nochdir)
        (void) chdir("/");
    if (!noclose) {
        int devnull = open(_PATH_DEVNULL, O_RDWR, 0);

        if (devnull != -1) {
            (void) dup2(devnull, STDIN_FILENO);
            (void) dup2(devnull, STDOUT_FILENO);
            (void) dup2(devnull, STDERR_FILENO);
            if (devnull > 2)
                (void) close(devnull);
        }
    }
    return(0);
}
Comment 7 Daniel Walsh 2006-09-13 17:06:27 EDT
These avc's have little to do with portmapper.  They are basically caused by the
kernel checking how stdin, stdout, stderr were opened and whether the domain
(portmap_t) has the right access to these open file descriptor.  If they do not
the kernel closes the descriptor and hands the process a file descriptor to
/dev/null.  If you have redirected the stdout to a file in a random location,
the kernel will check if portmap can write to that location (file_context). 
This is what is generating the AVC,  By default the kernel would have checked a
open file descriptor to tty_device_t which is dontaudited, writing to /tmp/t
however is audited.