Bug 997142

Summary:	SELinux is preventing /usr/libexec/accounts-daemon from using the 'net_bind_service' capabilities.
Product:	[Fedora] Fedora	Reporter:	Rex Dieter <rdieter>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	19	CC:	bzf, dominick.grift, dwalsh, hhorak, lvrabec, mclasen, mgrepl
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Unspecified
Whiteboard:	abrt_hash:044e17cfebdc673641b55a814d326b76145806821b65f63da960f4def8164fd3
Fixed In Version:	selinux-policy-3.12.1-74.3.fc19	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-09-14 02:30:31 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Rex Dieter 2013-08-14 18:45:01 UTC

Description of problem:
logged in to kde-4.11.0 session is all
SELinux is preventing /usr/libexec/accounts-daemon from using the 'net_bind_service' capabilities.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that accounts-daemon should have the net_bind_service capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep accounts-daemon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:system_r:accountsd_t:s0
Target Objects                 [ capability ]
Source                        accounts-daemon
Source Path                   /usr/libexec/accounts-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           accountsservice-0.6.34-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-69.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.10.5-201.fc19.x86_64 #1 SMP Wed
                              Aug 7 16:25:24 UTC 2013 x86_64 x86_64
Alert Count                   34
First Seen                    2013-08-09 08:06:11 CDT
Last Seen                     2013-08-14 13:42:00 CDT
Local ID                      548f9011-9d05-435a-bd8a-a25b46465521

Raw Audit Messages
type=AVC msg=audit(1376505720.840:1323): avc:  denied  { net_bind_service } for  pid=417 comm="accounts-daemon" capability=10  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability


type=SYSCALL msg=audit(1376505720.840:1323): arch=x86_64 syscall=bind success=yes exit=0 a0=b a1=7fff488866c0 a2=10 a3=0 items=0 ppid=1 pid=417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null)

Hash: accounts-daemon,accountsd_t,accountsd_t,capability,net_bind_service

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.5-201.fc19.x86_64
type:           libreport

Comment 1 Rex Dieter 2013-08-15 14:02:04 UTC

Description of problem:
Just logged in to kde session on f19 x86_64 box (with nfs $HOME, if that matters).

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.5-201.fc19.x86_64
type:           libreport

Comment 2 Daniel Walsh 2013-08-15 18:21:46 UTC

Any idea why accountsd would be binding to a port < 1024

Comment 3 Rex Dieter 2013-08-15 18:30:14 UTC

honestly no, accountsservice is still largely a black box (with a neato dbus interface) to me.  I'll try to ask around and find out though.

Comment 4 Rex Dieter 2013-08-15 18:42:15 UTC

For what it's worth, it must be temporary (on startup?)... just checked with lsof, and it's currently not listening.

Comment 5 Marco Nolden 2013-09-05 11:44:07 UTC

Description of problem:
See bug 989516

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.10-200.fc19.x86_64
type:           libreport

Comment 6 Daniel Walsh 2013-09-05 13:26:43 UTC

Are you running with NIS?

Comment 7 Rex Dieter 2013-09-05 14:21:31 UTC

Yes, I am running with NIS.

Comment 8 Marco Nolden 2013-09-05 15:12:21 UTC

(In reply to Daniel Walsh from comment #6)
> Are you running with NIS?

Yes, I'm also running NIS.

Comment 9 Daniel Walsh 2013-09-05 15:48:22 UTC

It looks like nis or glibc must have changed to allow priv apps to bind to ports < 1024 fairly recently.  I added a dontaudit for this in git.

a13733d1b028ec3ca4db41d3468b486113c7da5b, nis should continue to attempt to bind to random ports until it gets one > 1024.

Comment 10 Daniel Walsh 2013-09-05 15:49:46 UTC

*** Bug 1004737 has been marked as a duplicate of this bug. ***

Comment 11 Daniel Walsh 2013-09-05 15:50:25 UTC

Reassigning to ypbind package to see if they know anything.

Comment 12 Daniel Walsh 2013-09-05 15:51:22 UTC

Rex do you know about anything that might have changed to cause this?

Comment 13 Honza Horak 2013-09-09 11:34:24 UTC

(In reply to Daniel Walsh from comment #11)
> Reassigning to ypbind package to see if they know anything.

Well, we did nothing serious in NIS packages (ypserv, ypbind, yp-tools) that could influence SELinux access for couple of months. I also don't understand how did you come to ypbind to cause this problem, since I don't probably understand enough what's happening in accounts-daemon that could be related to NIS. Could anybody explain to me the connection of accounts-daemon and ypbind, please?

What I noticed only are some NIS-related changes in selinux-policy, so maybe that could help:

* Fri Sep 06 2013 Lukas Vrabec <lvrabec> 3.12.1-74.2
- Dontaudit attempts to bind to ports < 1024 when nis is turned on
* Thu Aug 08 2013 Miroslav Grepl <mgrepl> 3.12.1-70
- Make NFS home, NIS authentication and dbus-daemon working
* Tue Mar 26 2013 Miroslav Grepl <mgrepl> 3.12.1-24
- Allow yppasswdd to use NIS
* Wed Jan 23 2013 Miroslav Grepl <mgrepl> 3.12.1-6
- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on
* Wed Jan 16 2013 Miroslav Grepl <mgrepl> 3.12.1-5
- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on

Comment 14 Daniel Walsh 2013-09-09 12:16:31 UTC

Ok I think we will just don't audit for now and see if there are other problems.

Fixed in 3.12.1-74.2

Comment 15 Honza Horak 2013-09-09 15:15:45 UTC

OK. Changing the component as well so it corresponds with the actual fix made.

Comment 16 Miroslav Grepl 2013-09-09 16:06:03 UTC

*** Bug 989516 has been marked as a duplicate of this bug. ***

Comment 17 Fedora Update System 2013-09-12 09:09:22 UTC

selinux-policy-3.12.1-74.3.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.3.fc19

Comment 18 Fedora Update System 2013-09-13 00:58:33 UTC

Package selinux-policy-3.12.1-74.3.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.3.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16580/selinux-policy-3.12.1-74.3.fc19
then log in and leave karma (feedback).

Comment 19 Fedora Update System 2013-09-14 02:30:31 UTC

selinux-policy-3.12.1-74.3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.