Bug 513481

Summary: SELinux is preventing rpc.statd (rpcd_t) "write" sshd_t.
Product: [Fedora] Fedora Reporter: Egon Kastelijn <redhat2>
Component: nfs-utilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: steved
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-18 08:10:03 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Egon Kastelijn 2009-07-23 15:51:07 EDT
Description of problem:
SELinux is preventing rpc.statd (rpcd_t) "write" sshd_t.

Version-Release number of selected component (if applicable):
nfs-utils-1.2.0-3.fc11

How reproducible:
Unknown. The message was found in /var/log/messages

Steps to Reproduce:
1. unknown
2.
3.
  
Actual results:
A message in /var/log/messages

Expected results:
No message in /var/log/messages

Additional info:

# sealert -l f5ceb592-9cbd-48f7-b87a-94671c0688e7

Summary:

SELinux is preventing rpc.statd (rpcd_t) "write" sshd_t.

Detailed Description:

SELinux denied access requested by rpc.statd. It is not expected that this
access is required by rpc.statd and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the           
application is causing it to require additional access.                         

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)   
against this package.                                                          

Additional Information:

Source Context                unconfined_u:system_r:rpcd_t:s0
Target Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Objects                pipe [ fifo_file ]                     
Source                        rpc.idmapd                             
Source Path                   /usr/sbin/rpc.idmapd                   
Port                          <Unknown>                              
Host                          srv0002                                
Source RPM Packages           nfs-utils-1.2.0-3.fc11                 
Target RPM Packages
Policy RPM                    selinux-policy-3.6.12-62.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     srv0002
Platform                      Linux srv0002 2.6.29.5-191.fc11.x86_64 #1 SMP Tue
                              Jun 16 23:23:21 EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Thu Jul 23 19:39:37 2009
Last Seen                     Thu Jul 23 19:39:38 2009
Local ID                      f5ceb592-9cbd-48f7-b87a-94671c0688e7
Line Numbers

Raw Audit Messages

node=srv0002 type=AVC msg=audit(1248370778.713:3107): avc:  denied  { write } for  pid=30210 comm="rpc.statd" path="pipe:[166975]" dev=pipefs ino=166975 scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=fifo_file

node=srv0002 type=SYSCALL msg=audit(1248370778.713:3107): arch=c000003e syscall=59 success=yes exit=0 a0=239d020 a1=239d4d0 a2=239d8b0 a3=10 items=0 ppid=30209 pid=30210 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=328 comm="rpc.statd" exe="/sbin/rpc.statd" subj=unconfined_u:system_r:rpcd_t:s0 key=(null)

#
Comment 1 Steve Dickson 2009-07-30 08:47:09 EDT
Dan, any ideas?
Comment 2 Daniel Walsh 2009-07-30 09:24:33 EDT
Did you ssh into the box and execute a command 
like

ssh remotehost service nfslock restart

?

Funny thing is this looks like it should be allowed.  Running the AVC through audit2allow says that it is allowed

What does

# grep rpc.statd /var/log/audit/audit.log | audit2why

Say?

Anyways you can safely ignore this.
Comment 3 Egon Kastelijn 2009-07-30 14:23:14 EDT
# grep rpc.statd /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1248370778.713:3107): avc:  denied  { write } for  pid=30210 comm="rpc.statd" path="pipe:[166975]" dev=pipefs ino=166975 scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=fifo_file

        Was caused by:
                Policy constraint violation.

                May require adding a type attribute to the domain or type to satisfy the constraint.

                Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).

#
Comment 4 Egon Kastelijn 2009-07-30 15:27:44 EDT
I do login to the machine using ssh on a regular basis.
The funny this is that I don't use NFS in my infrastructure.
So don't know what triggered the message in /var/log/messages.
I am sorry that I don't know any more details about the cause of the message.
Comment 5 Daniel Walsh 2009-07-30 17:16:53 EDT
I actually think this is fixed in the next update of selinux-policy.

selinux-policy-3.6.12-69.fc11

Now in updates-testing.

You can install it by executing

yum upgrade selinux-policy-targeted --enablerepo=updates-testing