Bug 738628

Summary: avc denial 'sys_rawio' for rpc.mountd
Product: Red Hat Enterprise Linux 6 Reporter: Karel Volný <kvolny>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: azelinka, dwalsh, eparis, mmalik, pbunyan, spoore, steved
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-139.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 12:24:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Karel Volný 2011-09-15 12:22:28 UTC 
Description of problem:
Running the test /CoreOS/quota/Regression/bz515697-too-many-mountpoints we are sometimes getting avc denials for rpc.mountd - not sure if this is problem of selinux policy or nfs-utils itself.

Version-Release number of selected component (if applicable):
nfs-utils-1.2.3-8.el6.i686
selinux-policy-3.7.19-110.el6.noarch

How reproducible:
sometimes

Steps to Reproduce:
1. schedule the test /CoreOS/quota/Regression/bz515697-too-many-mountpoints in Beaker
  
Actual results:
time->Tue Sep 13 08:37:47 2011
type=SYSCALL msg=audit(1315917467.083:297024): arch=c000003e syscall=16 success=no exit=-25 a0=16 a1=5331 a2=0 a3=7fff1000ce40 items=0 ppid=1 pid=5517 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(1315917467.083:297024): avc:  denied  { sys_rawio } for  pid=5517 comm="rpc.mountd" capability=17  scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=unconfined_u:system_r:nfsd_t:s0 tclass=capability
Fail: AVC messages found.


Expected results:
no denials

Additional info:
see
http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2011/09/1310/131079/271491/2972907/15668739//test_log-Setup-avc.log
http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2011/09/1310/131079/271491/2972907/15668739//test_log-Setup-avc.log
Comment 1 Karel Volný 2011-09-15 12:25:17 UTC 
um, the second link to logs should have been:

http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2011/09/1307/130760/270731/2966102/15611310//test_log-Setup-avc.log
Comment 3 Steve Dickson 2011-09-27 17:54:53 UTC 
This appears to be an selinux policy problem... Reassigning
Comment 4 Daniel Walsh 2011-09-27 18:39:10 UTC 
Steve are you saying that nfsd needs sys_rawio?

/* Allow ioperm/iopl access */
/* Allow sending USB messages to any device via /proc/bus/usb */

#define CAP_SYS_RAWIO        17
Comment 5 Eric Paris 2011-09-28 14:32:50 UTC 
I'm having a hard time tracking down what ioctl 0x5331 is, which apparently the rpc code called to trigger this.
Comment 6 RHEL Program Management 2011-10-07 16:05:39 UTC 
Since RHEL 6.2 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 8 Steve Dickson 2011-12-14 12:57:27 UTC 
(In reply to comment #4)
> Steve are you saying that nfsd needs sys_rawio?
> 
> /* Allow ioperm/iopl access */
> /* Allow sending USB messages to any device via /proc/bus/usb */
> 
> #define CAP_SYS_RAWIO        17
Its not clear what is going going... 

mountd does access things under /proc/net/rpc and /proc/fs/ and /var/lib/nfs/
for upcalls from the kernel, but other than that I can not see why
sys_rawio would be needed...
Comment 9 Daniel Walsh 2011-12-14 15:13:24 UTC 
I guess we can add a dontaudit rule.
Comment 14 Miroslav Grepl 2012-02-28 15:57:33 UTC 
fs_getattr_all_fs(rpcd_t) is needed.

Milos,
were you testing it with disabled unconfined module?
Comment 15 Milos Malik 2012-02-28 16:06:29 UTC 
No, unconfined module was enabled at that time.
Comment 16 Scott Poore 2012-02-29 16:39:44 UTC 
I am seeing similar getattr and read AVCs for rpc.mountd.   I also see a mountd one with tclass=dir.
Comment 17 Daniel Walsh 2012-02-29 19:01:39 UTC 
Scott attach your AVC's so we can make sure you are seeing the same problem.
Comment 18 Scott Poore 2012-02-29 19:21:27 UTC 
Here you go:

----
time->Tue Feb 28 23:35:54 2012
type=SYSCALL msg=audit(1330490154.811:216018): arch=c000003e syscall=262 success=no exit=-13 a0=16 a1=7fd13d8a4243 a2=7fffd750ba50 a3=0 items=0 ppid=1 pid=24782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(1330490154.811:216018): avc:  denied  { getattr } for  pid=24782 comm="rpc.mountd" path="/sbin/MAKEDEV" dev=dm-0 ino=133719 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
----
time->Tue Feb 28 23:35:54 2012
type=SYSCALL msg=audit(1330490154.812:216019): arch=c000003e syscall=2 success=no exit=-13 a0=7fd13d8ac000 a1=90800 a2=7fffd750bb30 a3=13 items=0 ppid=1 pid=24782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(1330490154.812:216019): avc:  denied  { read } for  pid=24782 comm="rpc.mountd" name="/" dev=tmpfs ino=5315 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
----
time->Tue Feb 28 23:35:54 2012
type=SYSCALL msg=audit(1330490154.874:216020): arch=c000003e syscall=262 success=no exit=-13 a0=16 a1=7fd13d8a4ae3 a2=7fffd750a380 a3=0 items=0 ppid=1 pid=24782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(1330490154.874:216020): avc:  denied  { getattr } for  pid=24782 comm="rpc.mountd" path="/sbin/MAKEDEV" dev=dm-0 ino=133719 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
----
time->Tue Feb 28 23:35:54 2012
type=SYSCALL msg=audit(1330490154.874:216021): arch=c000003e syscall=2 success=no exit=-13 a0=7fd13d8a4030 a1=90800 a2=7fffd750a460 a3=13 items=0 ppid=1 pid=24782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(1330490154.874:216021): avc:  denied  { read } for  pid=24782 comm="rpc.mountd" name="/" dev=tmpfs ino=5315 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir

Let me know if you need anything else.
Comment 19 Daniel Walsh 2012-02-29 19:50:53 UTC 
Well those are allowed in Fedora.
Comment 20 Scott Poore 2012-03-01 01:10:18 UTC 
This was from a 6.3 test build.  Should they be allowed there or is there some other configuration I could use to avoid this?  Or is there a fix already that should make it into the 6.3 release?

Thanks
Comment 21 Miroslav Grepl 2012-03-01 07:22:31 UTC 
*** Bug 798764 has been marked as a duplicate of this bug. ***
Comment 22 Miroslav Grepl 2012-03-01 07:54:09 UTC 
This relates with removing 

nfs_exports_all_*

booleans. These booleans have been removed because of #760405 bug.



nfs_export_all_ro 

...
...

auth_read_all_dirs_except_shadow(nfsd_t)
auth_read_all_files_except_shadow(nfsd_t)

Looks like we will need to add


files_list_all_mountpoints(nfsd_t)
Comment 27 errata-xmlrpc 2012-06-20 12:24:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html