2248137 – SELinux is preventing rpcbind from 'search' accesses on the directory net.

Bug 2248137 - SELinux is preventing rpcbind from 'search' accesses on the directory net.

Summary: SELinux is preventing rpcbind from 'search' accesses on the directory net.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	x86_64
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:487b9a8bc71b766ed47409ff999...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-11-06 11:45 UTC by strasharo2000
Modified:	2024-01-03 02:18 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-38.31-1.fc38
Clone Of:
Environment:
Last Closed:	2024-01-03 02:18:11 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: os_info (709 bytes, text/plain) 2023-11-06 11:45 UTC, strasharo2000	no flags	Details
File: description (1.85 KB, text/plain) 2023-11-06 11:45 UTC, strasharo2000	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1928	0	None	open	Allow rpcbind read network sysctls	2023-11-06 12:20:10 UTC

Description strasharo2000 2023-11-06 11:45:43 UTC

Description of problem:
mounted a NFS share
SELinux is preventing rpcbind from 'search' accesses on the directory net.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rpcbind should be allowed search access on the net directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rpcbind' --raw | audit2allow -M my-rpcbind
# semodule -X 300 -i my-rpcbind.pp

Additional Information:
Source Context                system_u:system_r:rpcbind_t:s0
Target Context                system_u:object_r:sysctl_net_t:s0
Target Objects                net [ dir ]
Source                        rpcbind
Source Path                   rpcbind
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.30-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.30-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.5.8-200.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Fri Oct 20 15:53:48 UTC 2023
                              x86_64
Alert Count                   2
First Seen                    2023-11-06 13:44:29 EET
Last Seen                     2023-11-06 13:44:29 EET
Local ID                      237295dc-d7a7-47d4-a0d8-a93e23246c13

Raw Audit Messages
type=AVC msg=audit(1699271069.619:3004): avc:  denied  { search } for  pid=332535 comm="rpcbind" name="net" dev="proc" ino=22724 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0


Hash: rpcbind,rpcbind_t,sysctl_net_t,dir,search

Version-Release number of selected component:
selinux-policy-targeted-38.30-1.fc38.noarch

Additional info:
reporter:       libreport-2.17.11
comment:        mounted a NFS share
hashmarkername: setroubleshoot
kernel:         6.5.8-200.fc38.x86_64
component:      selinux-policy
type:           libreport
reason:         SELinux is preventing rpcbind from 'search' accesses on the directory net.
package:        selinux-policy-targeted-38.30-1.fc38.noarch
component:      selinux-policy

Comment 1 strasharo2000 2023-11-06 11:45:46 UTC

Created attachment 1997420 [details]
File: os_info

Comment 2 strasharo2000 2023-11-06 11:45:48 UTC

Created attachment 1997421 [details]
File: description

Comment 3 Fedora Update System 2023-12-18 14:01:32 UTC

FEDORA-2023-aeccf7b447 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-aeccf7b447

Comment 4 Fedora Update System 2023-12-19 01:42:14 UTC

FEDORA-2023-aeccf7b447 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-aeccf7b447`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-aeccf7b447

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2024-01-03 02:18:11 UTC

FEDORA-2023-aeccf7b447 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.