Description of problem: AVC error has been discovered while running rsync test on fedora 33. Version-Release number of selected component (if applicable): selinux-policy-3.14.6-20.fc33.noarch How reproducible: Always Steps to Reproduce: 1. Schedule /CoreOS/rsync/Regression/bz1633850-rsync-is-unable-to-preserve-NFS-v4-ACLs-via on fc33 in Beaker. Actual results: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-3.14.6-20.fc33.noarch ---- time->Tue Jul 28 07:05:12 2020 type=AVC msg=audit(1595934312.771:207): avc: denied { name_bind } for pid=12221 comm="rpcbind" src=63248 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 Expected results: No AVC error.
Does the test case change the state of nis_enabled boolean? # getsebool nis_enabled These SELinux denials should not appear if the boolean is enabled. # setsebool nis_enabled on
The test did not change the state of the boolean. But the test case passes on rhel8 where the default state is nis_enabled --> off without causing any AVC errors. Why is that? On fedora the default state when the test is run is also nis_enabled --> off. I modified the test to turn on the boolean and the AVC disappeared on fedora.
If rpc.idmapd process is not running (for example: because it was killed) then the automated TC fails and triggers the following SELinux denial on Fedora Rawhide: ---- type=PROCTITLE msg=audit(07/29/2020 07:34:48.280:771) : proctitle=/usr/bin/rpcbind -w -f type=SOCKADDR msg=audit(07/29/2020 07:34:48.280:771) : saddr={ saddr_fam=inet6 laddr=:: lport=64193 } type=SYSCALL msg=audit(07/29/2020 07:34:48.280:771) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xb a1=0x7ffc74e1d6d0 a2=0x1c a3=0x7ffc74e1d6ec items=0 ppid=1 pid=15762 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcbind exe=/usr/bin/rpcbind subj=system_u:system_r:rpcbind_t:s0 key=(null) type=AVC msg=audit(07/29/2020 07:34:48.280:771) : avc: denied { name_bind } for pid=15762 comm=rpcbind src=64193 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 ---- The same TC executed on RHEL-8.3 passes and does not trigger any SELinux denials. Fedora Rawhide ============== # sesearch -s rpcbind_t -t unreserved_port_t -c udp_socket -p name_bind -A allow nsswitch_domain unreserved_port_t:udp_socket name_bind; [ nis_enabled ]:True # RHEL-8.3 ======== # sesearch -s rpcbind_t -t unreserved_port_t -c udp_socket -p name_bind -A allow nsswitch_domain unreserved_port_t:udp_socket name_bind; [ nis_enabled ]:True allow rpcbind_t unreserved_port_t:udp_socket name_bind; [ nis_enabled ]:True # After the TC is finished, the list of suspected processes is the same: # ps -efZ | grep rpc system_u:system_r:kernel_t:s0 root 623 2 0 03:46 ? 00:00:00 [rpciod] system_u:system_r:rpcd_t:s0 rpcuser 27183 1 0 07:17 ? 00:00:00 /usr/sbin/rpc.statd system_u:system_r:rpcbind_t:s0 rpc 36852 1 0 07:38 ? 00:00:00 /usr/bin/rpcbind -w -f system_u:system_r:rpcd_t:s0 root 37165 1 0 07:38 ? 00:00:00 /usr/sbin/rpc.idmapd system_u:system_r:nfsd_t:s0 root 37166 1 0 07:38 ? 00:00:00 /usr/sbin/rpc.mountd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 37279 5060 0 07:41 pts/0 00:00:00 grep --color=auto rpc # The nis_enabled boolean is off in both cases. I'm not sure why this happens.
This bug appears to have been reported against 'rawhide' during the Fedora 33 development cycle. Changing version to 33.
*** This bug has been marked as a duplicate of bug 1758147 ***