Bug 451805
Summary: | RHEL5.2 |SELINUX: Restarting portmap service shows "not registered portmapper" message | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | manoj <manmah4u> | ||||
Component: | selinux-policy | Assignee: | Steve Dickson <steved> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | urgent | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 5.2 | CC: | dwalsh, menonbros, mkoci, mmalik, ssahu | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-01-20 21:32:31 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
manoj
2008-06-17 14:22:40 UTC
Dan, Has there been any recent fixes to the SELinux policies that would address this problem? What AVC's are you seeing? grep avc /var/log/audit/audit.log or /var/log/messages I couldn't see any AVC messages and SELinux Troubleshoot Alerts while testing this scenario.I have pasted /var/log/messages content in my previous comment. Thanks. Does portmapper work? Even with generating these errors? SELinux policy for portmap has # portmap binds to arbitary ports corenet_tcp_bind_generic_port(portmap_t) corenet_udp_bind_generic_port(portmap_t) corenet_tcp_bind_reserved_port(portmap_t) corenet_udp_bind_reserved_port(portmap_t) corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t) corenet_dontaudit_udp_bind_all_reserved_ports(portmap_t) This says that SELinux is allowing portmap to bind to all ports that do not have a defined port. SELinux maps types/labels to lots of ports. Any with a label portmapper will not be allowed to bind, and then will get a different one. The attempt will be dontaudited. If you execute # semanage port -l you will see the list of defined ports. portmap then complains about the ports it is not allowed to bind. But it should continue to try to find a port. I could see the portmap service running. rpc 13061 1 0 17:23 ? 00:00:00 portmap <--- ps -ef | grep portmap But when i try to mount the share from the client it gives the below error showmount -e 10.1.4.32 (10.1.4.32 is the NFS Server) mount clntudp_create: RPC: Program not registered. mount 10.1.4.32:/home/share1 /test1 mount: mount to NFS Server '10.1.4.32' failed: RPC Error: Program not registered. # semanage port -l | grep 111 gives the below output portmap_port_t tcp 111 portmap_port_t udp 111 ricci_port_t tcp 11111 ricci_port_t udp 11111 Try turning off dontaudit rules # semodule -i /usr/share/selinux/targeted/enableaudit.pp # service portmap restart Look for avc messages Turn back on dontaudit rules. # semodule -i /usr/share/selinux/targeted/base.pp # semodule -i /usr/share/selinux/targeted/enableaudit.pp Even after executing the above command with(SElinux=enforcing) and restarting portmap service there are no avc messages displayed in the /var/log/messages file or /var/log/audit/audit.log file. But executing the same command gives the below output on the console. # semodule -i /usr/share/selinux/targeted/enableaudit.pp libsemanage.parse_module_headers: Received a base module, expected a non-base module. semodule: Failed on /usr/share/selinux/targeted/enableaudit.pp! Similarly for this command also #semodule -i /usr/share/selinux/targeted/base.pp libsemanage.parse_module_headers: Received a base module, expected a non-base module. semodule: Failed on /usr/share/selinux/targeted/base.pp! Sorry should have been -b Try turning off dontaudit rules # semodule -b /usr/share/selinux/targeted/enableaudit.pp # service portmap restart Look for avc messages Turn back on dontaudit rules. # semodule -b /usr/share/selinux/targeted/base.pp [root@lifo ~]# tail -f /var/log/audit/audit.log type=AVC msg=audit(1215066907.602:50): avc: denied { name_bind } for pid=11411 comm="portmap" src=987 scontext=root:system_r:portmap_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1215066907.602:50): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fffa0990fc0 a2=10 a3=0 items=0 ppid=11410 pid=11411 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="portmap" exe="/sbin/portmap" subj=root:system_r:portmap_t:s0 key=(null) type=AVC msg=audit(1215066907.602:51): avc: denied { name_bind } for pid=11411 comm="portmap" src=988 scontext=root:system_r:portmap_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1215066907.602:51): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=7fffa0990fc0 a2=10 a3=0 items=0 ppid=11410 pid=11411 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="portmap" exe="/sbin/portmap" subj=root:system_r:portmap_t:s0 key=(null) type=AVC msg=audit(1215066907.607:52): avc: denied { name_bind } for pid=11413 comm="pmap_set" src=989 scontext=root:system_r:portmap_helper_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1215066907.607:52): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff959c2e50 a2=10 a3=486c731b items=0 ppid=11396 pid=11413 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts33 ses=1 comm="pmap_set" exe="/usr/sbin/pmap_set" subj=root:system_r:portmap_helper_t:s0 key=(null) type=AVC msg=audit(1215066907.609:53): avc: denied { name_bind } for pid=11413 comm="pmap_set" src=990 scontext=root:system_r:portmap_helper_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1215066907.609:53): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff959c2e50 a2=10 a3=3 items=0 ppid=11396 pid=11413 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts33 ses=1 comm="pmap_set" exe="/usr/sbin/pmap_set" subj=root:system_r:portmap_helper_t:s0 key=(null) Fixed in selinux-policy-2.4.6-142.el5 This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. Created attachment 319368 [details]
output of /CoreOS/selinux-policy/bugzillas/451805 test
Dan, could you please look at the attachment. The file contains some AVCs which appeared during the test. Before I ran the test I loaded the enableaudit policy package. Looks like a bug Fixed in selinux-policy-2.4.6-163.el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0163.html |