Bug 476614

Summary: SELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t
Product: [Fedora] Fedora Reporter: Petr Šplíchal <psplicha>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 9CC: dedourek, dwalsh, jkubin, mgrepl, ohudlick
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-12-16 09:19:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Šplíchal 2008-12-16 08:14:48 UTC 
Description of problem:

After last package update I could not mount any nfs share. Logs
say that local rpcbind server cannot be contacted and there are
AVC denials appearing around.

Version-Release number of selected component (if applicable):
rpcbind-0.1.7-1.fc9.i386
selinux-policy-3.3.1-111.fc9.noarch

How reproducible:
Always

Steps to Reproduce:
1. setenforce 1
2. service rpcbind start

Actual results:
Snip from /var/log/messages:
setroubleshoot: SELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t
kernel: RPC: failed to contact local rpcbind server (errno 512).
kernel: RPC: failed to contact local rpcbind server (errno 5).
kernel: lockd_up: makesock failed, error=-5
kernel: rpcbind: server localhost not responding, timed out

Expected results:
mounting nfs share works

Additional info:
sealert -l b66d5af6-edb2-496e-bcf4-cb58be75a8a3

SELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t.

Detailed Description:

SELinux denied access requested by rpcbind. It is not expected that this access
is required by rpcbind and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context        unconfined_u:system_r:rpcbind_t:s0
Target Context        unconfined_u:system_r:rpcbind_t:s0
Target Objects        None [ capability ]
Source                rpcbind
Source Path           /sbin/rpcbind
Port                  <Unknown>
Host                  psss.englab.brq.redhat.com.
Source RPM Packages   rpcbind-0.1.7-1.fc9
Target RPM Packages   
Policy RPM            selinux-policy-3.3.1-111.fc9
Selinux Enabled       True
Policy Type           targeted
MLS Enabled           True
Enforcing Mode        Enforcing
Plugin Name           catchall
Host Name             psss.englab.brq.redhat.com.
Platform              Linux psss.englab.brq.redhat.com.
                      2.6.27.7-53.fc9.i686 #1 SMP Thu Nov 27 02:29:03
                      EST 2008 i686 i686
Alert Count           4
First Seen            Tue Dec 16 08:18:37 2008
Last Seen             Tue Dec 16 09:04:17 2008
Local ID              b66d5af6-edb2-496e-bcf4-cb58be75a8a3
Line Numbers          

Raw Audit Messages            

node=psss.englab.brq.redhat.com. type=AVC
msg=audit(1229414657.353:39): avc:  denied  { setgid } for
pid=4279 comm="rpcbind" capability=6
scontext=unconfined_u:system_r:rpcbind_t:s0
tcontext=unconfined_u:system_r:rpcbind_t:s0 tclass=capability

node=psss.englab.brq.redhat.com. type=SYSCALL
msg=audit(1229414657.353:39): arch=40000003 syscall=214 success=no
exit=-1 a0=20 a1=2db9bc a2=2105b0 a3=bfde6ce0 items=0 ppid=4278
pid=4279 auid=777 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=1 comm="rpcbind" exe="/sbin/rpcbind"
subj=unconfined_u:system_r:rpcbind_t:s0 key=(null)
Comment 1 Petr Šplíchal 2008-12-16 09:19:33 UTC 
Oh, only now I discovered already closed bug for this issue --- bug #472917.
But why have we pushed rpcbind out before this was fixed? And we knew about the problem...

from: https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10000

orion - 2008-12-10 16:12:46

This should not be pushed to stable until selinux-policy-targeted-3.3.1-115.fc9 has been pushed to stable.

bodhi - 2008-12-11 07:58:07

This update has been pushed to stable

*** This bug has been marked as a duplicate of bug 472917 ***