Bug 1228494 - SELinux is preventing /usr/sbin/rpcbind from 'write' accesses on the directory /tmp.
Summary: SELinux is preventing /usr/sbin/rpcbind from 'write' accesses on the director...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:2baf5a49d4c4c6dec08aba5a958...
: 1228637 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-05 05:07 UTC by vikram goyal
Modified: 2016-10-23 13:28 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-128.2.fc22
Clone Of:
Environment:
Last Closed: 2015-06-27 22:33:53 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description vikram goyal 2015-06-05 05:07:55 UTC 
Description of problem:

The system is an upgrade from FC21 to FC22.

drwxrwxrwt.  17 root root system_u:object_r:tmp_t:s0               540 Jun  5 10:34 tmp

[vikram@ganak ~]$ ls -lZ /tmp/
total 0
-rw-r--r--. 1 root   root   system_u:object_r:tmp_t:s0           0 Jun  5 10:24 anaconda.log
-rw-r--r--. 1 root   root   system_u:object_r:tmp_t:s0           0 Jun  5 10:24 ifcfg.log
drwx------. 2 vikram vikram unconfined_u:object_r:user_tmp_t:s0 40 Jan  1  1970 orbit-vikram
-rw-r--r--. 1 root   root   system_u:object_r:tmp_t:s0           0 Jun  5 10:24 packaging.log
-rw-r--r--. 1 root   root   system_u:object_r:tmp_t:s0           0 Jun  5 10:24 program.log
-rw-r--r--. 1 root   root   system_u:object_r:tmp_t:s0           0 Jun  5 10:24 sensitive-info.log
drwx------. 2 vikram vikram unconfined_u:object_r:user_tmp_t:s0 60 Jun  5 10:26 ssh-WZFGZgycjTDH
-rw-r--r--. 1 root   root   system_u:object_r:tmp_t:s0           0 Jun  5 10:24 storage.log
drwx------. 3 root   root   system_u:object_r:tmp_t:s0          60 Jun  5 10:26 systemd-private-b1795ba642c941cebb10f94adf3e991d-colord.service-Hw3yiV
drwx------. 3 root   root   system_u:object_r:tmp_t:s0          60 Jun  5 10:24 systemd-private-b1795ba642c941cebb10f94adf3e991d-dovecot.service-hDwDkP
drwx------. 3 root   root   system_u:object_r:tmp_t:s0          60 Jun  5 10:24 systemd-private-b1795ba642c941cebb10f94adf3e991d-httpd.service-4XLGqy
drwx------. 3 root   root   system_u:object_r:tmp_t:s0          60 Jun  5 10:27 systemd-private-b1795ba642c941cebb10f94adf3e991d-named.service-nQfgV9
drwx------. 3 root   root   system_u:object_r:tmp_t:s0          60 Jun  5 10:23 systemd-private-b1795ba642c941cebb10f94adf3e991d-rtkit-daemon.service-0xaX0P
drwx------. 2 vikram vikram unconfined_u:object_r:user_tmp_t:s0 40 Jun  5 10:34 tracker-extract-files.1000
srwxr-xr-x. 1 vikram vikram system_u:object_r:user_tmp_t:s0      0 Jun  5 10:26 vikram.socket


devtmpfs on /dev type devtmpfs (rw,nosuid,seclabel,size=3795364k,nr_inodes=948841,mode=755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel)
tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,seclabel,mode=755)
tmpfs on /tmp type tmpfs (rw,seclabel)

[root@ganak ~]# getenforce 
Permissive
SELinux is preventing /usr/sbin/rpcbind from 'write' accesses on the directory /tmp.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rpcbind should be allowed write access on the tmp directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep rpcbind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:rpcbind_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                /tmp [ dir ]
Source                        rpcbind
Source Path                   /usr/sbin/rpcbind
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           rpcbind-0.2.3-0.0.fc22.x86_64
Target RPM Packages           filesystem-3.2-32.fc22.x86_64
Policy RPM                    selinux-policy-3.13.1-126.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.0.4-303.fc22.x86_64 #1 SMP Thu
                              May 28 12:37:06 UTC 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-06-03 10:04:01 IST
Last Seen                     2015-06-05 09:58:59 IST
Local ID                      9927e94b-216e-4fa3-9bf5-74f8d40b1ff8

Raw Audit Messages
type=AVC msg=audit(1433478539.375:2866): avc:  denied  { write } for  pid=640 comm="rpcbind" name="/" dev="tmpfs" ino=12474 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1


type=AVC msg=audit(1433478539.375:2866): avc:  denied  { add_name } for  pid=640 comm="rpcbind" name="rpcbind.xdr" scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1


type=AVC msg=audit(1433478539.375:2866): avc:  denied  { create } for  pid=640 comm="rpcbind" name="rpcbind.xdr" scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1


type=AVC msg=audit(1433478539.375:2866): avc:  denied  { write open } for  pid=640 comm="rpcbind" path="/tmp/rpcbind.xdr" dev="tmpfs" ino=1172555 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1433478539.375:2866): arch=x86_64 syscall=open success=yes exit=EINTR a0=7fad9ebf2740 a1=241 a2=1b6 a3=1d1 items=0 ppid=1 pid=640 auid=4294967295 uid=32 gid=32 euid=32 suid=32 fsuid=32 egid=32 sgid=32 fsgid=32 tty=(none) ses=4294967295 comm=rpcbind exe=/usr/sbin/rpcbind subj=system_u:system_r:rpcbind_t:s0 key=(null)

Hash: rpcbind,rpcbind_t,tmp_t,dir,write

Version-Release number of selected component:
selinux-policy-3.13.1-126.fc22.noarch

Additional info:
reporter:       libreport-2.5.1
hashmarkername: setroubleshoot
kernel:         4.0.4-303.fc22.x86_64
type:           libreport

Potential duplicate: bug 1227026
Comment 1 Richard J. Turner 2015-06-05 11:28:06 UTC 
Description of problem:
Tried to mount an NFS share served by this machine.

Version-Release number of selected component:
selinux-policy-3.13.1-126.fc22.noarch

Additional info:
reporter:       libreport-2.5.1
hashmarkername: setroubleshoot
kernel:         4.0.4-303.fc22.x86_64
type:           libreport
Comment 2 Miroslav Grepl 2015-06-17 10:36:10 UTC 

commit afd5d7a49e9983254087e32f9ac97f5decb478f8
Author: Miroslav Grepl <mgrepl>
Date:   Tue Jun 2 17:26:52 2015 +0200

    Allow rpcbind to create rpcbind.xdr as a temporary file. BZ(1227025)
Comment 3 Miroslav Grepl 2015-06-17 10:36:31 UTC 
*** Bug 1228637 has been marked as a duplicate of this bug. ***
Comment 4 Fedora Update System 2015-06-19 07:51:27 UTC 
selinux-policy-3.13.1-128.2.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-128.2.fc22
Comment 5 Fedora Update System 2015-06-21 00:34:13 UTC 
Package selinux-policy-3.13.1-128.2.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-128.2.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-10299/selinux-policy-3.13.1-128.2.fc22
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2015-06-27 22:33:53 UTC 
selinux-policy-3.13.1-128.2.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.