Bug 472917
Summary: | denied setgid for rpcbind | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 9 | CC: | ackistler, atkac, chris.stromblad, david, dedourek, dwalsh, edgar.hoch, gseanmcg, jkubin, mgrepl, psplicha, steved | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-12-15 15:08:45 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Orion Poplawski
2008-11-25 16:24:12 UTC
Tried to make a policy module with audit2allow, but get: # semodule -i rpcbind.pp libsepol.print_missing_requirements: rpcbind's global requirements were not met: type/attribute rpcbind_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! # cat rpcbind.te module rpcbind 1.0; require { type rpcbind_t; class capability setgid; } require { type rpcbind_t; class capability setgid; } #============= rpcbind_t ============== allow rpcbind_t self:capability setgid; You can not call it rpcbind, call it myrpcbind, otherwise you replace the default package and this will remove the definition of Dan, in laymen's terms what is the problem here? How come rpcbind can't change from root to another uid/gids?? Because the policy did not have this rule. Basically when we write policy for a confined application we need to write allow rules for all capabilities required for the app. Everything is denied by default, if you add a new capability to an app, then selinux policy needs to be updated. If this capability (setgid) exists in previous versions of rpcbind, then we have a bug in policy. Fixed in selinux-policy-3.3.1-115.fc9.noarch selinux-policy-3.3.1-115.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/selinux-policy-3.3.1-115.fc9 It appears the problem still exists.... Unless I'm doing something wrong... # rpm -Uhv selinux-policy-3.3.1-115.fc9.noarch.rpm selinux-policy-devel-3.3.1-115.fc9.noarch.rpm Preparing... ########################################### [100%] 1:selinux-policy ########################################### [ 50%] 2:selinux-policy-devel ########################################### [100%] # # rpm -Uhv rpcbind-0.1.7-1.fc9.i386.rpm Preparing... ########################################### [100%] 1:rpcbind ########################################### [100%] # # tail /var/log/messages Dec 9 10:43:32 xenhat rpcbind: rpcbind terminating on signal. Restart with "rpcbind -w" Dec 9 10:43:33 xenhat setroubleshoot: SELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t. For complete SELinux messages. run sealert -l 7bfbb53d-a1ca-446b-917c-aed9f4c80898 # sealert -l 7bfbb53d-a1ca-446b-917c-aed9f4c80898 Summary: SELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by rpcbind. It is not expected that this access is required by rpcbind and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:rpcbind_t Target Context unconfined_u:system_r:rpcbind_t Target Objects None [ capability ] Source rpcbind Source Path /sbin/rpcbind Port <Unknown> Host xenhat Source RPM Packages rpcbind-0.1.4-17.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-115.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name xenhat Platform Linux xenhat 2.6.27.5-41.fc9.i686 #1 SMP Thu Nov 13 20:52:14 EST 2008 i686 i686 Alert Count 1 First Seen Tue Dec 9 10:43:32 2008 Last Seen Tue Dec 9 10:43:32 2008 Local ID 7bfbb53d-a1ca-446b-917c-aed9f4c80898 Line Numbers Raw Audit Messages node=xenhat type=AVC msg=audit(1228837412.711:43): avc: denied { setgid } for pid=11381 comm="rpcbind" capability=6 scontext=unconfined_u:system_r:rpcbind_t:s0 tcontext=unconfined_u:system_r:rpcbind_t:s0 tclass=capability node=xenhat type=SYSCALL msg=audit(1228837412.711:43): arch=40000003 syscall=214 success=yes exit=0 a0=20 a1=2db9bc a2=2105b0 a3=bfbabf40 items=0 ppid=1 pid=11381 auid=3606 uid=0 gid=32 euid=0 suid=0 fsuid=0 egid=32 sgid=32 fsgid=32 tty=(none) ses=1 comm="rpcbind" exe="/sbin/rpcbind" subj=unconfined_u:system_r:rpcbind_t:s0 key=(null) Created attachment 326340 [details] Audit log corresponding to Comment #8 Execute: rpm -Uhv selinux-policy-targeted-3.3.1-115.fc9.noarch.rpm Then it should be OK. I did... It was the first thing I did... See top of Comment #8: # rpm -Uhv selinux-policy-3.3.1-115.fc9.noarch.rpm selinux-policy-devel-3.3.1-115.fc9.noarch.rpm Preparing... ########################################### [100%] 1:selinux-policy ########################################### [ 50%] 2:selinux-policy-devel ########################################### [100%] # Also note after I reboot I got the following systlog: Dec 9 10:54:47 xenhat kernel: type=1400 audit(1228838087.682:3): avc: denied { setgid } for pid=2358 comm="rpcbind" capability=6 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:system_r:rpcbind_t:s0 tclass=capability No, you didn't. You updated selinux-policy and selinux-policy-devel. NOT selinux-policy-targeted. selinux-policy-3.3.1-115.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing-newkey update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-11122 I can verify. I grabbed the whole set and updated old-style (rpm -Fvh). selinux-policy-3.3.1-115.fc9.noarch.rpm selinux-policy-devel-3.3.1-115.fc9.noarch.rpm selinux-policy-doc-3.3.1-115.fc9.noarch.rpm selinux-policy-mls-3.3.1-115.fc9.noarch.rpm selinux-policy-targeted-3.3.1-115.fc9.noarch.rpm rpcbind no longer has a setgid problem. Confirmed, problem solved. I also tried selinux-policy-targeted-3.3.1-115 and I confirm that the problem is solved. I suggest to release this version to updates-newkey (after it has passed the other quality test of fedora...) so all users have solved the problem. At our Fedora 9 computers there was no nfs mount and no nfs export possible since about the past 2-3 days and therefore no login with nfs home dirs... selinux-policy-3.3.1-116.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/selinux-policy-3.3.1-116.fc9 *** Bug 476614 has been marked as a duplicate of this bug. *** selinux-policy-3.3.1-115.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. |