Bug 2246914

Summary: avc: denied { search } for comm="rpcbind" name="net" dev="proc"
Product: [Fedora] Fedora Reporter: Martin Pitt <mpitt>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 39CC: dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
URL: https://cockpit-logs.us-east-1.linodeobjects.com/pull-19541-20231028-061240-f17dc026-fedora-39-updates-testing/log.html#213
Whiteboard: CockpitTest
Fixed In Version: selinux-policy-39.1-1.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 01:39:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Pitt 2023-10-30 05:18:08 UTC 
Cockpit's tests recently started to run nightly checks on Fedora 39 updates-testing (until Friday it was still F38). This found a SELinux regression in the NFS tests. They did succeed, but they cause this violation:

audit: type=1400 audit(1698474882.843:12922): avc:  denied  { search } for  pid=47538 comm="rpcbind" name="net" dev="proc" ino=15820 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0

We don't see this with selinux-policy-38.28.1.fc39 (i.e. without updates-testing).

rpcbind-1.2.6-4.rc2.fc39.1.x86_64
selinux-policy-38.29-1.fc39.noarch

Reproducible: Always

Steps to Reproduce:
systemctl start rpcbind

Actual Results:  
service starts, but with two errors:

rpcbind[1131]: Unable to open open /proc/sys/net/ipv4/ip_local_reserved_ports.
rpcbind[1131]: rpcbind: svc_tli_create: could not bind to anonymous port
rpcbind[1131]: Unable to open open /proc/sys/net/ipv4/ip_local_reserved_ports.
rpcbind[1131]: rpcbind: svc_tli_create: could not bind to anonymous port

and the corresponding violations in the journal:

AVC avc:  denied  { search } for  pid=1131 comm="rpcbind" name="net" dev="proc" ino=15820 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
Comment 1 Milos Malik 2023-10-30 14:29:34 UTC 
Visible in the systemd journal:
Oct 30 10:14:10 machine-name-removed systemd[1]: Starting rpcbind.service - RPC Bind...
Oct 30 10:14:10 machine-name-removed rpcbind[1485]: rpcbind: svc_tli_create: could not bind to anonymous port
Oct 30 10:14:10 machine-name-removed systemd[1]: Started rpcbind.service - RPC Bind.

The following SELinux denial appears in enforcing mode:
----
type=PROCTITLE msg=audit(10/30/2023 10:14:10.248:475) : proctitle=/usr/bin/rpcbind -w -f 
type=SOCKADDR msg=audit(10/30/2023 10:14:10.248:475) : saddr={ saddr_fam=inet laddr=0.0.0.0 lport=63179 } 
type=SYSCALL msg=audit(10/30/2023 10:14:10.248:475) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xa a1=0x7ffefff9cc00 a2=0x10 a3=0x55def188e8c0 items=0 ppid=1 pid=1485 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcbind exe=/usr/bin/rpcbind subj=system_u:system_r:rpcbind_t:s0 key=(null) 
type=AVC msg=audit(10/30/2023 10:14:10.248:475) : avc:  denied  { name_bind } for  pid=1485 comm=rpcbind src=63179 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 
----
Comment 2 Milos Malik 2023-10-30 14:39:36 UTC 
Unfortunately, I'm not able to reproduce the same SELinux denial that is recorded in comment#0.
Comment 3 Martin Pitt 2023-10-30 15:55:22 UTC 
That is bug #1758147 , and it's many years old already. This only happens with the updates-testing version. It's a standard F39 cloud image after `dnf -y update --enablerepo=updates-testing` and a reboot.
Comment 4 Zdenek Pytela 2023-10-31 16:12:14 UTC 
This is not a regression in selinux-policy, but rather a result of rpcbind has been fixed to use ip_local_reserved_ports.
The policy commit already is in rawhide.
Comment 5 Fedora Update System 2023-11-02 20:05:43 UTC 
FEDORA-2023-24872e50a0 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-24872e50a0
Comment 6 Fedora Update System 2023-11-03 02:08:56 UTC 
FEDORA-2023-24872e50a0 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-24872e50a0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-24872e50a0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2023-11-07 01:39:37 UTC 
FEDORA-2023-24872e50a0 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.