Bug 472917

Summary: denied setgid for rpcbind
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: ackistler, atkac, chris.stromblad, david, dedourek, dwalsh, edgar.hoch, gseanmcg, jkubin, mgrepl, psplicha, steved
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-12-15 15:08:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Audit log corresponding to Comment #8 none

Description Orion Poplawski 2008-11-25 16:24:12 UTC 
Description of problem:

With rpcbind-0.1.7-1.fc9 from updates-testing:

Nov 25 09:18:24 saga kernel: type=1400 audit(1227629904.039:11): avc:  denied  { setgid } for  pid=5845 comm="rpcbind" capability=6 scontext=root:system_r:rpcbind_t:s0 tcontext=root:system_r:rpcbind_t:s0 tclass=capability
Nov 25 09:18:24 saga rpcbind: setgid to 'rpc' (32) failed: Operation not permitted

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-111.fc9.noarch
Comment 1 Orion Poplawski 2008-11-25 16:31:09 UTC 
Tried to make a policy module with audit2allow, but get:

# semodule -i rpcbind.pp
libsepol.print_missing_requirements: rpcbind's global requirements were not met: type/attribute rpcbind_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!
# cat rpcbind.te
module rpcbind 1.0;

require {
        type rpcbind_t;
        class capability setgid;
}
require {
        type rpcbind_t;
        class capability setgid;
}

#============= rpcbind_t ==============
allow rpcbind_t self:capability setgid;
Comment 2 Daniel Walsh 2008-11-25 16:57:48 UTC 
You can not call it rpcbind, call it myrpcbind, otherwise you replace the default package and this will remove the definition of
Comment 3 Steve Dickson 2008-12-01 16:15:06 UTC 
Dan, in laymen's terms what is the problem here? How come rpcbind can't
change from root to another uid/gids??
Comment 4 Daniel Walsh 2008-12-01 16:27:14 UTC 
Because the policy did not have this rule.
Comment 5 Daniel Walsh 2008-12-01 19:18:37 UTC 
Basically when we write policy for a confined application we need to write allow rules for all capabilities required for the app.  Everything is denied by default, if you add a new capability to an app, then selinux policy needs to be updated.  If this capability (setgid) exists in previous versions of rpcbind, then we have a bug in policy.
Comment 6 Miroslav Grepl 2008-12-09 11:27:21 UTC 
Fixed in selinux-policy-3.3.1-115.fc9.noarch
Comment 7 Fedora Update System 2008-12-09 11:32:50 UTC 
selinux-policy-3.3.1-115.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/selinux-policy-3.3.1-115.fc9
Comment 8 Steve Dickson 2008-12-09 15:51:32 UTC 
It appears the problem still exists.... Unless I'm doing something wrong...

# rpm -Uhv selinux-policy-3.3.1-115.fc9.noarch.rpm selinux-policy-devel-3.3.1-115.fc9.noarch.rpm
Preparing...                ########################################### [100%]

   1:selinux-policy         ########################################### [ 50%]

   2:selinux-policy-devel   ########################################### [100%]

#

# rpm -Uhv rpcbind-0.1.7-1.fc9.i386.rpm

Preparing...                ########################################### [100%]

   1:rpcbind                ########################################### [100%]

#
# tail /var/log/messages
Dec  9 10:43:32 xenhat rpcbind: rpcbind terminating on signal. Restart with "rpcbind -w"

Dec  9 10:43:33 xenhat setroubleshoot: SELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t. For complete SELinux messages. run sealert -l 7bfbb53d-a1ca-446b-917c-aed9f4c80898


# sealert -l 7bfbb53d-a1ca-446b-917c-aed9f4c80898



Summary:



SELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t.



Detailed Description:



[SELinux is in permissive mode, the operation would have been denied but was

permitted due to permissive mode.]



SELinux denied access requested by rpcbind. It is not expected that this access

is required by rpcbind and this access may signal an intrusion attempt. It is

also possible that the specific version or configuration of the application is

causing it to require additional access.



Allowing Access:



You can generate a local policy module to allow this access - see FAQ

(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable

SELinux protection altogether. Disabling SELinux protection is not recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)

against this package.



Additional Information:



Source Context                unconfined_u:system_r:rpcbind_t

Target Context                unconfined_u:system_r:rpcbind_t

Target Objects                None [ capability ]

Source                        rpcbind

Source Path                   /sbin/rpcbind

Port                          <Unknown>

Host                          xenhat

Source RPM Packages           rpcbind-0.1.4-17.fc9

Target RPM Packages           

Policy RPM                    selinux-policy-3.3.1-115.fc9

Selinux Enabled               True

Policy Type                   targeted

MLS Enabled                   True

Enforcing Mode                Permissive

Plugin Name                   catchall

Host Name                     xenhat

Platform                      Linux xenhat 2.6.27.5-41.fc9.i686 #1 SMP Thu Nov

                              13 20:52:14 EST 2008 i686 i686

Alert Count                   1

First Seen                    Tue Dec  9 10:43:32 2008

Last Seen                     Tue Dec  9 10:43:32 2008

Local ID                      7bfbb53d-a1ca-446b-917c-aed9f4c80898

Line Numbers                  



Raw Audit Messages            



node=xenhat type=AVC msg=audit(1228837412.711:43): avc:  denied  { setgid } for  pid=11381 comm="rpcbind" capability=6 scontext=unconfined_u:system_r:rpcbind_t:s0 tcontext=unconfined_u:system_r:rpcbind_t:s0 tclass=capability



node=xenhat type=SYSCALL msg=audit(1228837412.711:43): arch=40000003 syscall=214 success=yes exit=0 a0=20 a1=2db9bc a2=2105b0 a3=bfbabf40 items=0 ppid=1 pid=11381 auid=3606 uid=0 gid=32 euid=0 suid=0 fsuid=0 egid=32 sgid=32 fsgid=32 tty=(none) ses=1 comm="rpcbind" exe="/sbin/rpcbind" subj=unconfined_u:system_r:rpcbind_t:s0 key=(null)
Comment 9 Steve Dickson 2008-12-09 15:53:29 UTC 
Created attachment 326340 [details]
Audit log corresponding to Comment #8
Comment 10 Miroslav Grepl 2008-12-09 16:33:00 UTC 
Execute:

rpm -Uhv selinux-policy-targeted-3.3.1-115.fc9.noarch.rpm

Then it should be OK.
Comment 11 Steve Dickson 2008-12-09 18:14:10 UTC 
I did... It was the first thing I did... See top of Comment #8:

# rpm -Uhv selinux-policy-3.3.1-115.fc9.noarch.rpm
selinux-policy-devel-3.3.1-115.fc9.noarch.rpm
Preparing...                ########################################### [100%]

   1:selinux-policy         ########################################### [ 50%]

   2:selinux-policy-devel   ########################################### [100%]

#

Also note after I reboot I got the following systlog:

Dec  9 10:54:47 xenhat kernel: type=1400 audit(1228838087.682:3): avc:  denied  { setgid } for  pid=2358 comm="rpcbind" capability=6 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:system_r:rpcbind_t:s0 tclass=capability
Comment 12 Orion Poplawski 2008-12-09 18:18:18 UTC 
No, you didn't.  You updated selinux-policy and selinux-policy-devel.  NOT selinux-policy-targeted.
Comment 13 Fedora Update System 2008-12-10 04:39:10 UTC 
selinux-policy-3.3.1-115.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing-newkey update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-11122
Comment 14 Allen Kistler 2008-12-11 22:41:35 UTC 
I can verify.  I grabbed the whole set and updated old-style (rpm -Fvh).

selinux-policy-3.3.1-115.fc9.noarch.rpm
selinux-policy-devel-3.3.1-115.fc9.noarch.rpm
selinux-policy-doc-3.3.1-115.fc9.noarch.rpm
selinux-policy-mls-3.3.1-115.fc9.noarch.rpm
selinux-policy-targeted-3.3.1-115.fc9.noarch.rpm

rpcbind no longer has a setgid problem.
Comment 15 Christoffer Strömblad 2008-12-12 19:44:03 UTC 
Confirmed, problem solved.
Comment 16 Edgar Hoch 2008-12-14 03:46:41 UTC 
I also tried selinux-policy-targeted-3.3.1-115 and I confirm that the problem is solved.

I suggest to release this version to updates-newkey (after it has passed the other quality test of fedora...) so all users have solved the problem.
At our Fedora 9 computers there was no nfs mount and no nfs export possible since about the past 2-3 days and therefore no login with nfs home dirs...
Comment 17 Fedora Update System 2008-12-15 16:34:24 UTC 
selinux-policy-3.3.1-116.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/selinux-policy-3.3.1-116.fc9
Comment 18 Petr Šplíchal 2008-12-16 09:19:33 UTC 
*** Bug 476614 has been marked as a duplicate of this bug. ***
Comment 19 Fedora Update System 2008-12-21 08:34:34 UTC 
selinux-policy-3.3.1-115.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.