Bug 867415

Summary: SELinux is not letting rpcbind access /etc/passwd
Product: [Fedora] Fedora Reporter: Steve Dickson <steved>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dominick.grift, dwalsh, lemenkov, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-20 15:56:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit log none

Description Steve Dickson 2012-10-17 13:19:41 UTC
Description of problem:
SELlinux is not letting rpcbind access /etc/passwd. 

Oct 17 09:11:32 f18 rpcbind: cannot get uid of 'rpc': Permission denied
Oct 17 09:11:32 f18 systemd[1]: rpcbind.service: main process exited, code=exited, status=1
Oct 17 09:11:32 f18 systemd[1]: Unit rpcbind.service entered failed state.
Oct 17 09:11:32 f18 setroubleshoot: SELinux is preventing rpcbind from read access on the file /etc/passwd. For complete SELinux messages. run sealert -l e6d2d369-5ac1-46e8-89f9-ab483923d21e


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.11.1-18.fc18.noarch
selinux-policy-3.11.1-18.fc18.noarch
rpcbind-0.2.0-18.fc18

How reproducible:
100%

Steps to Reproduce:
1. service rpcbind start
2.
3.

Comment 1 Steve Dickson 2012-10-17 13:20:09 UTC
sealert -l e6d2d369-5ac1-46e8-89f9-ab483923d21e
SELinux is preventing rpcbind from read access on the file /etc/passwd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that rpcbind should be allowed read access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep rpcbind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:rpcbind_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/passwd [ file ]
Source                        rpcbind
Source Path                   rpcbind
Port                          <Unknown>
Host                          f18.boston.devel.redhat.com
Source RPM Packages           rpcbind-0.2.0-18.fc18.x86_64
Target RPM Packages           setup-2.8.57-1.fc18.noarch
Policy RPM                    selinux-policy-3.11.1-18.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     f18.boston.devel.redhat.com
Platform                      Linux f18.boston.devel.redhat.com
                              3.6.0-0.rc2.git2.1.fc18.x86_64 #1 SMP Wed Aug 22
                              11:54:04 UTC 2012 x86_64 x86_64
Alert Count                   2
First Seen                    2012-10-17 09:10:47 EDT
Last Seen                     2012-10-17 09:11:31 EDT
Local ID                      e6d2d369-5ac1-46e8-89f9-ab483923d21e

Raw Audit Messages
type=AVC msg=audit(1350479491.941:46): avc:  denied  { read } for  pid=878 comm="rpcbind" name="passwd" dev="dm-1" ino=133305 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1350479491.941:46): arch=x86_64 syscall=open success=no exit=EACCES a0=7effb960d6ea a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rpcbind exe=/usr/sbin/rpcbind subj=system_u:system_r:rpcbind_t:s0 key=(null)

Hash: rpcbind,rpcbind_t,passwd_file_t,file,read

audit2allow

#============= rpcbind_t ==============
allow rpcbind_t passwd_file_t:file read;

audit2allow -R

#============= rpcbind_t ==============
allow rpcbind_t passwd_file_t:file read;

Comment 2 Steve Dickson 2012-10-17 13:22:00 UTC
Created attachment 628802 [details]
audit log

Comment 3 Steve Dickson 2012-10-17 13:39:11 UTC
Selinux is also not allowing rpcbind access to its registration files

Oct 17 09:25:48 f18 rpcbind: cannot save any registration
Oct 17 09:33:59 f18 rpcbind: Cannot open '/var/lib/rpcbind/rpcbind.xdr' file for reading, errno 13 (Permission denied)
Oct 17 09:34:00 f18 rpcbind: Cannot open '/var/lib/rpcbind/portmap.xdr' file for reading, errno 13 (Permission denied)

Comment 4 Miroslav Grepl 2012-10-17 13:57:17 UTC
Fixed in selinux-policy-3.11.1-40.fc18.noarch

Comment 5 Fedora Update System 2012-10-23 20:35:43 UTC
selinux-policy-3.11.1-43.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-43.fc18

Comment 6 Fedora Update System 2012-10-26 15:38:39 UTC
selinux-policy-3.11.1-46.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-46.fc18

Comment 7 Fedora Update System 2012-10-26 19:28:16 UTC
Package selinux-policy-3.11.1-46.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-46.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16862/selinux-policy-3.11.1-46.fc18
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2012-12-20 15:56:22 UTC
selinux-policy-3.11.1-46.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.