Bug 201671 - rpc.mountd won't start when nss_ldap configured with TLS
rpc.mountd won't start when nss_ldap configured with TLS
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-08 02:39 EDT by darkness
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-28 16:05:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description darkness 2006-08-08 02:39:11 EDT
Description of problem:
When nss_ldap is configured for the services database, and nss_ldap is
instructed to use SSL/TLS, rpc.mountd fails to start because it cannot
access /dev/random and/or /dev/urandom.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.3.3-8.fc5
nfs-utils-1.0.8-2.fc5

How reproducible:
Consistently

Steps to Reproduce:
1. Configure nss_ldap to use SSL/TLS (I'm using "ssl start_tls" in
   /etc/ldap.conf).
2. Configure the services database to use LDAP: "services: files ldap"
   in /etc/nsswitch.conf.
3. Run rpc.mountd.
  
Actual results:
rpc.mountd hangs, messages in /var/log/messages:

Aug 8 02:30:47 foo mountd[11031]: nss_ldap: reconnecting to LDAP
server (sleeping 4 seconds)...

SELinux audit messages:

audit(1155018584.459:6336): avc: denied { read } for pid=11002
comm="rpc.mountd" name="urandom" dev=tmpfs ino=2730
scontext=user_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file

audit(1155018584.459:6337): avc: denied { read } for pid=11002
comm="rpc.mountd" name="random" dev=tmpfs ino=2723
scontext=user_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file

audit(1155018647.383:6340): avc: denied { getattr } for pid=11031
comm="rpc.mountd" name="urandom" dev=tmpfs ino=2730
scontext=user_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file

audit(1155018647.383:6341): avc: denied { getattr } for pid=11031
comm="rpc.mountd" name="random" dev=tmpfs ino=2723
scontext=user_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file


Expected results:
rpc.mountd starts immediately.

Additional info:

The "denied { getattr }" messages only appear after I've made an
SELinux module to allow read on random/urandom.

Using the following policy module allowed rpc.mountd to start here:

    module mountd_fix 1.1;

    require {
            class chr_file { getattr read };
            type nfsd_t;
            type random_device_t;
            type urandom_device_t;
            role system_r;
    };

    allow nfsd_t random_device_t:chr_file { getattr read };
    allow nfsd_t urandom_device_t:chr_file { getattr read };
Comment 1 Daniel Walsh 2006-08-22 09:42:28 EDT
Fixed in selinux-policy-2.3.7-2.fc5
Comment 2 Daniel Walsh 2006-08-22 10:19:29 EDT
Change to modified
Comment 3 Daniel Walsh 2007-03-28 16:05:08 EDT
Closing bugs

Note You need to log in before you can comment on or make changes to this bug.