Bug 2246914 - avc: denied { search } for comm="rpcbind" name="net" dev="proc"
Summary: avc: denied { search } for comm="rpcbind" name="net" dev="proc"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 39
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL: https://cockpit-logs.us-east-1.linode...
Whiteboard: CockpitTest
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-10-30 05:18 UTC by Martin Pitt
Modified: 2023-11-07 01:39 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-39.1-1.fc39
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-11-07 01:39:37 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Martin Pitt 2023-10-30 05:18:08 UTC
Cockpit's tests recently started to run nightly checks on Fedora 39 updates-testing (until Friday it was still F38). This found a SELinux regression in the NFS tests. They did succeed, but they cause this violation:

audit: type=1400 audit(1698474882.843:12922): avc:  denied  { search } for  pid=47538 comm="rpcbind" name="net" dev="proc" ino=15820 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0

We don't see this with selinux-policy-38.28.1.fc39 (i.e. without updates-testing).

rpcbind-1.2.6-4.rc2.fc39.1.x86_64
selinux-policy-38.29-1.fc39.noarch

Reproducible: Always

Steps to Reproduce:
systemctl start rpcbind

Actual Results:  
service starts, but with two errors:

rpcbind[1131]: Unable to open open /proc/sys/net/ipv4/ip_local_reserved_ports.
rpcbind[1131]: rpcbind: svc_tli_create: could not bind to anonymous port
rpcbind[1131]: Unable to open open /proc/sys/net/ipv4/ip_local_reserved_ports.
rpcbind[1131]: rpcbind: svc_tli_create: could not bind to anonymous port

and the corresponding violations in the journal:

AVC avc:  denied  { search } for  pid=1131 comm="rpcbind" name="net" dev="proc" ino=15820 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0

Comment 1 Milos Malik 2023-10-30 14:29:34 UTC
Visible in the systemd journal:
Oct 30 10:14:10 machine-name-removed systemd[1]: Starting rpcbind.service - RPC Bind...
Oct 30 10:14:10 machine-name-removed rpcbind[1485]: rpcbind: svc_tli_create: could not bind to anonymous port
Oct 30 10:14:10 machine-name-removed systemd[1]: Started rpcbind.service - RPC Bind.

The following SELinux denial appears in enforcing mode:
----
type=PROCTITLE msg=audit(10/30/2023 10:14:10.248:475) : proctitle=/usr/bin/rpcbind -w -f 
type=SOCKADDR msg=audit(10/30/2023 10:14:10.248:475) : saddr={ saddr_fam=inet laddr=0.0.0.0 lport=63179 } 
type=SYSCALL msg=audit(10/30/2023 10:14:10.248:475) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xa a1=0x7ffefff9cc00 a2=0x10 a3=0x55def188e8c0 items=0 ppid=1 pid=1485 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcbind exe=/usr/bin/rpcbind subj=system_u:system_r:rpcbind_t:s0 key=(null) 
type=AVC msg=audit(10/30/2023 10:14:10.248:475) : avc:  denied  { name_bind } for  pid=1485 comm=rpcbind src=63179 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 
----

Comment 2 Milos Malik 2023-10-30 14:39:36 UTC
Unfortunately, I'm not able to reproduce the same SELinux denial that is recorded in comment#0.

Comment 3 Martin Pitt 2023-10-30 15:55:22 UTC
That is bug #1758147 , and it's many years old already. This only happens with the updates-testing version. It's a standard F39 cloud image after `dnf -y update --enablerepo=updates-testing` and a reboot.

Comment 4 Zdenek Pytela 2023-10-31 16:12:14 UTC
This is not a regression in selinux-policy, but rather a result of rpcbind has been fixed to use ip_local_reserved_ports.
The policy commit already is in rawhide.

Comment 5 Fedora Update System 2023-11-02 20:05:43 UTC
FEDORA-2023-24872e50a0 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-24872e50a0

Comment 6 Fedora Update System 2023-11-03 02:08:56 UTC
FEDORA-2023-24872e50a0 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-24872e50a0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-24872e50a0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2023-11-07 01:39:37 UTC
FEDORA-2023-24872e50a0 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.