Cockpit's tests recently started to run nightly checks on Fedora 39 updates-testing (until Friday it was still F38). This found a SELinux regression in the NFS tests. They did succeed, but they cause this violation: audit: type=1400 audit(1698474882.843:12922): avc: denied { search } for pid=47538 comm="rpcbind" name="net" dev="proc" ino=15820 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 We don't see this with selinux-policy-38.28.1.fc39 (i.e. without updates-testing). rpcbind-1.2.6-4.rc2.fc39.1.x86_64 selinux-policy-38.29-1.fc39.noarch Reproducible: Always Steps to Reproduce: systemctl start rpcbind Actual Results: service starts, but with two errors: rpcbind[1131]: Unable to open open /proc/sys/net/ipv4/ip_local_reserved_ports. rpcbind[1131]: rpcbind: svc_tli_create: could not bind to anonymous port rpcbind[1131]: Unable to open open /proc/sys/net/ipv4/ip_local_reserved_ports. rpcbind[1131]: rpcbind: svc_tli_create: could not bind to anonymous port and the corresponding violations in the journal: AVC avc: denied { search } for pid=1131 comm="rpcbind" name="net" dev="proc" ino=15820 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
Visible in the systemd journal: Oct 30 10:14:10 machine-name-removed systemd[1]: Starting rpcbind.service - RPC Bind... Oct 30 10:14:10 machine-name-removed rpcbind[1485]: rpcbind: svc_tli_create: could not bind to anonymous port Oct 30 10:14:10 machine-name-removed systemd[1]: Started rpcbind.service - RPC Bind. The following SELinux denial appears in enforcing mode: ---- type=PROCTITLE msg=audit(10/30/2023 10:14:10.248:475) : proctitle=/usr/bin/rpcbind -w -f type=SOCKADDR msg=audit(10/30/2023 10:14:10.248:475) : saddr={ saddr_fam=inet laddr=0.0.0.0 lport=63179 } type=SYSCALL msg=audit(10/30/2023 10:14:10.248:475) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xa a1=0x7ffefff9cc00 a2=0x10 a3=0x55def188e8c0 items=0 ppid=1 pid=1485 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcbind exe=/usr/bin/rpcbind subj=system_u:system_r:rpcbind_t:s0 key=(null) type=AVC msg=audit(10/30/2023 10:14:10.248:475) : avc: denied { name_bind } for pid=1485 comm=rpcbind src=63179 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 ----
Unfortunately, I'm not able to reproduce the same SELinux denial that is recorded in comment#0.
That is bug #1758147 , and it's many years old already. This only happens with the updates-testing version. It's a standard F39 cloud image after `dnf -y update --enablerepo=updates-testing` and a reboot.
This is not a regression in selinux-policy, but rather a result of rpcbind has been fixed to use ip_local_reserved_ports. The policy commit already is in rawhide.
FEDORA-2023-24872e50a0 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-24872e50a0
FEDORA-2023-24872e50a0 has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-24872e50a0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-24872e50a0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-24872e50a0 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.