Bug 1002150 - SELinux is preventing /usr/sbin/rpcbind from 'search' accesses on the directory /var/lib/sss.
Summary: SELinux is preventing /usr/sbin/rpcbind from 'search' accesses on the directo...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:1cc5fd43b741a64f086556b6e1c...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-28 14:12 UTC by Yann Droneaud
Modified: 2013-09-08 00:36 UTC (History)
13 users (show)

Fixed In Version: selinux-policy-3.12.1-74.1.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-09-08 00:36:24 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Yann Droneaud 2013-08-28 14:12:18 UTC
Description of problem:
SELinux is preventing /usr/sbin/rpcbind from 'search' accesses on the directory /var/lib/sss.

*****  Plugin catchall (100. confidence) suggests  ***************************

If vous pensez que rpcbind devrait être autorisé à accéder search sur sss directory par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep rpcbind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:rpcbind_t:s0
Target Context                system_u:object_r:sssd_var_lib_t:s0
Target Objects                /var/lib/sss [ dir ]
Source                        rpcbind
Source Path                   /usr/sbin/rpcbind
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           rpcbind-0.2.1-0.fc19.x86_64
Target RPM Packages           sssd-common-1.11.0-0.1.beta2.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-71.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.9-200.fc19.x86_64 #1 SMP Wed
                              Aug 21 19:27:58 UTC 2013 x86_64 x86_64
Alert Count                   16
First Seen                    2013-08-23 11:11:57 CEST
Last Seen                     2013-08-28 16:05:36 CEST
Local ID                      7516b866-270b-4407-ba3a-0f1a0638d0e5

Raw Audit Messages
type=AVC msg=audit(1377698736.770:99): avc:  denied  { search } for  pid=767 comm="rpcbind" name="sss" dev="dm-2" ino=23782 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir


type=SYSCALL msg=audit(1377698736.770:99): arch=x86_64 syscall=connect success=no exit=EACCES a0=5 a1=7fff93d55fb0 a2=6e a3=ffff8000 items=0 ppid=1 pid=767 auid=4294967295 uid=32 gid=32 euid=32 suid=32 fsuid=32 egid=32 sgid=32 fsgid=32 ses=4294967295 tty=(none) comm=rpcbind exe=/usr/sbin/rpcbind subj=system_u:system_r:rpcbind_t:s0 key=(null)

Hash: rpcbind,rpcbind_t,sssd_var_lib_t,dir,search

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.9-200.fc19.x86_64
type:           libreport

Potential duplicate: bug 1000710

Comment 1 Daniel Walsh 2013-08-28 19:51:48 UTC
3c041704b745db9a195fa07fa5a2a558f33492c1 fixes this in git.

Comment 2 Heiko Adams 2013-08-29 06:58:28 UTC
Description of problem:
Just applied the latest update of rpcbind

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.9-200.fc19.x86_64
type:           libreport

Comment 3 Michal Nowak 2013-08-29 07:32:07 UTC
Description of problem:
Updated rpcbind package:

  Updating   : rpcbind-0.2.1-0.fc19.x86_64
  Cleanup    : rpcbind-0.2.0-21.fc19.x86_64
  Verifying  : rpcbind-0.2.1-0.fc19.x86_64
  Verifying  : rpcbind-0.2.0-21.fc19.x86_64

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.9-200.fc19.x86_64
type:           libreport

Comment 4 Eric Blake 2013-08-29 22:12:36 UTC
Description of problem:
Happened while doing a 'yum update' of the following packages (probably the rpcbind pacakge is the culprit):
Updated:
  fedpkg.noarch 0:1.14-1.fc19                                                   
  libcacard.x86_64 2:1.6.0-5.fc19                                               
  libvirt.x86_64 0:1.1.1-3.fc19                                                 
  libvirt-client.x86_64 0:1.1.1-3.fc19                                          
  libvirt-daemon.x86_64 0:1.1.1-3.fc19                                          
  libvirt-daemon-config-network.x86_64 0:1.1.1-3.fc19                           
  libvirt-daemon-config-nwfilter.x86_64 0:1.1.1-3.fc19                          
  libvirt-daemon-driver-interface.x86_64 0:1.1.1-3.fc19                         
  libvirt-daemon-driver-libxl.x86_64 0:1.1.1-3.fc19                             
  libvirt-daemon-driver-lxc.x86_64 0:1.1.1-3.fc19                               
  libvirt-daemon-driver-network.x86_64 0:1.1.1-3.fc19                           
  libvirt-daemon-driver-nodedev.x86_64 0:1.1.1-3.fc19                           
  libvirt-daemon-driver-nwfilter.x86_64 0:1.1.1-3.fc19                          
  libvirt-daemon-driver-qemu.x86_64 0:1.1.1-3.fc19                              
  libvirt-daemon-driver-secret.x86_64 0:1.1.1-3.fc19                            
  libvirt-daemon-driver-storage.x86_64 0:1.1.1-3.fc19                           
  libvirt-daemon-driver-uml.x86_64 0:1.1.1-3.fc19                               
  libvirt-daemon-driver-vbox.x86_64 0:1.1.1-3.fc19                              
  libvirt-daemon-driver-xen.x86_64 0:1.1.1-3.fc19                               
  libvirt-daemon-kvm.x86_64 0:1.1.1-3.fc19                                      
  libvirt-daemon-qemu.x86_64 0:1.1.1-3.fc19                                     
  libvirt-debuginfo.x86_64 0:1.1.1-3.fc19                                       
  libvirt-devel.x86_64 0:1.1.1-3.fc19                                           
  libvirt-docs.x86_64 0:1.1.1-3.fc19                                            
  libvirt-lock-sanlock.x86_64 0:1.1.1-3.fc19                                    
  libvirt-python.x86_64 0:1.1.1-3.fc19                                          
  qemu-common.x86_64 2:1.6.0-5.fc19                                             
  qemu-img.x86_64 2:1.6.0-5.fc19                                                
  qemu-kvm.x86_64 2:1.6.0-5.fc19                                                
  qemu-system-x86.x86_64 2:1.6.0-5.fc19                                         
  rpcbind.x86_64 0:0.2.1-0.fc19                                                 
  virt-install.noarch 0:0.10.0-2.git948b5359.fc19                               
  virt-manager.noarch 0:0.10.0-2.git948b5359.fc19                               
  virt-manager-common.noarch 0:0.10.0-2.git948b5359.fc19                        

Dependency Updated:
  openbios.noarch 0:1.1.svn1198-2.fc19                                          
  qemu.x86_64 2:1.6.0-5.fc19                                                    
  qemu-system-alpha.x86_64 2:1.6.0-5.fc19                                       
  qemu-system-arm.x86_64 2:1.6.0-5.fc19                                         
  qemu-system-cris.x86_64 2:1.6.0-5.fc19                                        
  qemu-system-lm32.x86_64 2:1.6.0-5.fc19                                        
  qemu-system-m68k.x86_64 2:1.6.0-5.fc19                                        
  qemu-system-microblaze.x86_64 2:1.6.0-5.fc19                                  
  qemu-system-mips.x86_64 2:1.6.0-5.fc19                                        
  qemu-system-moxie.x86_64 2:1.6.0-5.fc19                                       
  qemu-system-or32.x86_64 2:1.6.0-5.fc19                                        
  qemu-system-ppc.x86_64 2:1.6.0-5.fc19                                         
  qemu-system-s390x.x86_64 2:1.6.0-5.fc19                                       
  qemu-system-sh4.x86_64 2:1.6.0-5.fc19                                         
  qemu-system-sparc.x86_64 2:1.6.0-5.fc19                                       
  qemu-system-unicore32.x86_64 2:1.6.0-5.fc19                                   
  qemu-system-xtensa.x86_64 2:1.6.0-5.fc19                                      
  qemu-user.x86_64 2:1.6.0-5.fc19                                               


Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.7-200.fc19.x86_64
type:           libreport

Comment 5 Luya Tshimbalanga 2013-08-30 05:59:12 UTC
Description of problem:
Updated to rpcbind-0.2.0-21

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.9-200.fc19.x86_64
type:           libreport

Comment 6 Mark C. Edwards 2013-09-01 07:58:58 UTC
Description of problem:
yum update. SELinux appeared during update.

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.9-200.fc19.x86_64
type:           libreport

Comment 7 Miroslav Grepl 2013-09-03 10:27:55 UTC
commit 5c27ee04a9f648e67231a624aa66b99972e21abe
Author: Dan Walsh <dwalsh>
Date:   Mon Aug 26 15:56:12 2013 -0400

    Allow rpcbind to use nsswitch

Has been added.

Lukas, 
we need to do a new F19 update today.

Comment 8 Fedora Update System 2013-09-03 19:57:01 UTC
selinux-policy-3.12.1-74.1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.1.fc19

Comment 9 Fedora Update System 2013-09-05 01:38:28 UTC
Package selinux-policy-3.12.1-74.1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15819/selinux-policy-3.12.1-74.1.fc19
then log in and leave karma (feedback).

Comment 10 Mark C. Edwards 2013-09-05 09:07:14 UTC
(In reply to Fedora Update System from comment #9)
> Package selinux-policy-3.12.1-74.1.fc19:
> * should fix your issue,
> * was pushed to the Fedora 19 testing repository,
> * should be available at your local mirror within two days.
> Update it with:
> # su -c 'yum update --enablerepo=updates-testing
> selinux-policy-3.12.1-74.1.fc19'
> as soon as you are able to.
> Please go to the following url:
> https://admin.fedoraproject.org/updates/FEDORA-2013-15819/selinux-policy-3.
> 12.1-74.1.fc19
> then log in and leave karma (feedback).

Enabled the repo and applied the update. No problems indicated. No warnings
in the logs. I don't have a good password for the admin link.

Comment 11 Fedora Update System 2013-09-08 00:36:24 UTC
selinux-policy-3.12.1-74.1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.