1847226 – SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket port 65149.

Bug 1847226 - SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket port 65149.

Summary: SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket por...

Keywords:
Status:	CLOSED DUPLICATE of bug 1758147
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	32
Hardware:	x86_64
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:353bb6bd6a8e04006146647683a...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-06-16 01:47 UTC by Jonathon Poppleton
Modified:	2021-01-04 14:08 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2021-01-04 14:08:16 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jonathon Poppleton 2020-06-16 01:47:38 UTC

Description of problem:
SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket port 65149.

*****  Plugin bind_ports (92.2 confidence) suggests   ************************

If you want to allow rpcbind to bind to network port 65149
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p udp 65149
    where PORT_TYPE is one of the following: agentx_port_t, apertus_ldp_port_t, comsat_port_t, dhcpc_port_t, dhcpd_port_t, dns_port_t, efs_port_t, flash_port_t, ftp_port_t, gdomap_port_t, hi_reserved_port_t, inetd_child_port_t, ipmi_port_t, ipp_port_t, kerberos_admin_port_t, kerberos_port_t, kprop_port_t, ktalkd_port_t, ldap_port_t, pki_ca_port_t, pop_port_t, portmap_port_t, printer_port_t, rlogin_port_t, rlogind_port_t, rndc_port_t, router_port_t, rsh_port_t, rsync_port_t, rtsp_port_t, rwho_port_t, smtp_port_t, spamd_port_t, swat_port_t, syslogd_port_t, uucpd_port_t.

*****  Plugin catchall_boolean (7.83 confidence) suggests   ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.

Do
setsebool -P nis_enabled 1

*****  Plugin catchall (1.41 confidence) suggests   **************************

If you believe that rpcbind should be allowed name_bind access on the port 65149 udp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rpcbind' --raw | audit2allow -M my-rpcbind
# semodule -X 300 -i my-rpcbind.pp

Additional Information:
Source Context                system_u:system_r:rpcbind_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                port 65149 [ udp_socket ]
Source                        rpcbind
Source Path                   rpcbind
Port                          65149
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.5-40.fc32.noarch
Local Policy RPM              selinux-policy-targeted-3.14.5-40.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.6.16-300.fc32.x86_64 #1 SMP Thu
                              Jun 4 18:08:38 UTC 2020 x86_64 x86_64
Alert Count                   10
First Seen                    2020-06-07 14:46:15 AEST
Last Seen                     2020-06-16 11:45:35 AEST
Local ID                      01f1e11d-8f02-43a3-9387-1d790f488419

Raw Audit Messages
type=AVC msg=audit(1592271935.639:778): avc:  denied  { name_bind } for  pid=13770 comm="rpcbind" src=65149 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0


Hash: rpcbind,rpcbind_t,unreserved_port_t,udp_socket,name_bind

Version-Release number of selected component:
selinux-policy-targeted-3.14.5-40.fc32.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.13.1
hashmarkername: setroubleshoot
kernel:         5.6.16-300.fc32.x86_64
type:           libreport

Potential duplicate: bug 1563792

Comment 1 Zdenek Pytela 2020-06-16 06:55:42 UTC

Jonathon,

rpcbind is not allowed to bind to random ports. Can you share the reproducing steps leading to this issue?

Has it always been in place or started at some time?

Comment 2 Jonathon Poppleton 2020-08-03 11:52:37 UTC

Hi, sorry for the delay. From memory the error may have occurred when setting up NFS sharing from the fedora host to a fedora client (KVM) using NAS. When using a bridge connection under networkmanager i have not noticed any SELinux issues.

Originally when i set up the NFS share on a client using NAS, the error may have occurred because i did not open the required ports which i was unaware of at the time. Eg

sudo firewall-cmd --permanent --add-service=nfs --zone=libvirt
sudo firewall-cmd --permanent --add-service=mountd --zone=libvirt
sudo firewall-cmd --permanent --add-service=rpc-bind --zone=libvirt   

I am not even sure if rpc-bind --zone=libvirt is required for a successful NFS share to the VM. 

Anyway I no longer use NAS with KVM clients because NFS/SMB mounts fail after connecting to a VPN on the fedora vm. If i use a bridge connection on the host and set up a VPN on the client i can still access NFS/SMB shares. 

I don't know if this helps. Thanks for letting me know that rpcbind is not meant have access to random ports. jonathon

Comment 3 Zdenek Pytela 2021-01-04 14:08:16 UTC


*** This bug has been marked as a duplicate of bug 1758147 ***

Note You need to log in before you can comment on or make changes to this bug.