Bug 358171 - New nfs-utils update is broken under selinux
New nfs-utils update is broken under selinux
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: nfs-utils (Show other bugs)
7
All Linux
low Severity urgent
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
: 358511 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-30 09:35 EDT by Orion Poplawski
Modified: 2008-02-26 19:26 EST (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-2.6.4-51.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-26 19:26:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2007-10-30 09:35:15 EDT
Description of problem:

With today's nfs-utils  1:1.1.0-4.fc7 update, nfs is broken under selinux. 
During upgrade I saw the following:

Oct 30 05:21:00 iago kernel: audit(1193743260.159:17): avc:  denied  { write }
for  pid=28714 comm="nscd" name="" dev=pipefs ino=10164880
scontext=user_u:system_r:nscd_t:s0 tcontext=user_u:system_
r:rpm_t:s0 tclass=fifo_file
Oct 30 05:21:00 iago kernel: audit(1193743260.164:18): avc:  denied  { write }
for  pid=28715 comm="nscd" name="" dev=pipefs ino=10164880
scontext=user_u:system_r:nscd_t:s0 tcontext=user_u:system_
r:rpm_t:s0 tclass=fifo_file
Oct 30 05:21:00 iago kernel: audit(1193743260.190:19): avc:  denied  { write }
for  pid=28716 comm="semanage" name="" dev=pipefs ino=10164880
scontext=user_u:system_r:semanage_t:s0 tcontext=user_u
:system_r:rpm_t:s0 tclass=fifo_file
Oct 30 05:21:00 iago kernel: audit(1193743260.977:20): avc:  denied  { write }
for  pid=28717 comm="nscd" name="" dev=pipefs ino=10164880
scontext=user_u:system_r:nscd_t:s0 tcontext=user_u:system_
r:rpm_t:s0 tclass=fifo_file
Oct 30 05:21:00 iago kernel: audit(1193743260.980:21): avc:  denied  { write }
for  pid=28718 comm="nscd" name="" dev=pipefs ino=10164880
scontext=user_u:system_r:nscd_t:s0 tcontext=user_u:system_
r:rpm_t:s0 tclass=fifo_file
Oct 30 05:21:07 iago kernel: audit(1193743267.392:22): avc:  denied  { write }
for  pid=28788 comm="rpc.statd" name="" dev=pipefs ino=10164880
scontext=user_u:system_r:rpcd_t:s0 tcontext=user_u:sy
stem_r:rpm_t:s0 tclass=fifo_file
Oct 30 05:22:06 iago kernel: audit(1193743326.166:23): avc:  denied  { write }
for  pid=28874 comm="rpc.idmapd" name="" dev=pipefs ino=10164880
scontext=user_u:system_r:rpcd_t:s0 tcontext=user_u:s
ystem_r:rpm_t:s0 tclass=fifo_file
Oct 30 05:22:06 iago rpc.statd[28789]: Caught signal 15, un-registering and exiting.
Oct 30 05:22:06 iago kernel: audit(1193743326.650:24): avc:  denied  { write }
for  pid=28923 comm="rpc.statd" name="" dev=pipefs ino=10164880
scontext=user_u:system_r:rpcd_t:s0 tcontext=user_u:sy
stem_r:rpm_t:s0 tclass=fifo_file


These are probably just output going to the yum-cron output.

This is the kicker:

Oct 30 05:22:47 iago kernel: audit(1193743367.282:25): avc:  denied  { getattr }
for  pid=29019 comm="start-statd" name="rpc.statd" dev=dm-0 ino=12451
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:rpcd_exec_t:s0
tclass=file

Got that every mount attempt.  Changed to permissive mode and then got:

Oct 30 07:18:42 iago kernel: audit(1193750322.551:257): enforcing=0
old_enforcing=1 auid=4294967295
Oct 30 07:18:42 iago dbus: Can't send to audit system: USER_AVC avc:  received
setenforce notice (enforcing=0) : exe="/bin/dbus-daemon" (sauid=577, hostname=?,
addr=?, terminal=?)
Oct 30 07:18:42 iago kernel: audit(1193750322.555:258): user pid=1787 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received
setenforce notice (enforcing=0)
Oct 30 07:18:42 iago kernel: : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
Oct 30 07:18:47 iago kernel: audit(1193750327.410:259): avc:  denied  { getattr
} for  pid=2881 comm="start-statd" name="rpc.statd" dev=dm-0 ino=12451
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:rpcd_exec_t:s0
tclass=file
Oct 30 07:18:47 iago kernel: audit(1193750327.410:260): avc:  denied  { execute
} for  pid=2881 comm="start-statd" name="rpc.statd" dev=dm-0 ino=12451
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:rpcd_exec_t:s0
tclass=file
Oct 30 07:18:47 iago kernel: audit(1193750327.410:261): avc:  denied  { read }
for  pid=2881 comm="start-statd" name="rpc.statd" dev=dm-0 ino=12451
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:rpcd_exec_t:s0
tclass=file
Oct 30 07:18:47 iago kernel: audit(1193750327.411:262): avc:  denied  {
execute_no_trans } for  pid=2881 comm="start-statd" name="rpc.statd" dev=dm-0
ino=12451 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:rpcd_exec_t:s0 tclass=file
Oct 30 07:18:47 iago rpc.statd[2882]: Version 1.1.0 Starting
Oct 30 07:18:47 iago rpc.statd[2882]: Flags:
Oct 30 07:18:47 iago kernel: audit(1193750327.415:263): avc:  denied  { write }
for  pid=2882 comm="rpc.statd" name="run" dev=dm-1 ino=20481
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=dir
Oct 30 07:18:47 iago kernel: audit(1193750327.415:264): avc:  denied  {
remove_name } for  pid=2882 comm="rpc.statd" name="rpc.statd.pid" dev=dm-1
ino=20507 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=dir
Oct 30 07:18:47 iago kernel: audit(1193750327.415:265): avc:  denied  { unlink }
for  pid=2882 comm="rpc.statd" name="rpc.statd.pid" dev=dm-1 ino=20507
scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:rpcd_var_run_t:s0
tclass=file
Oct 30 07:18:47 iago kernel: audit(1193750327.416:266): avc:  denied  { add_name
} for  pid=2882 comm="rpc.statd" name="rpc.statd.pid"
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=dir
Oct 30 07:18:47 iago kernel: audit(1193750327.416:267): avc:  denied  { create }
for  pid=2882 comm="rpc.statd" name="rpc.statd.pid"
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=file
Oct 30 07:18:47 iago kernel: audit(1193750327.416:268): avc:  denied  { getattr
} for  pid=2882 comm="rpc.statd" name="rpc.statd.pid" dev=dm-1 ino=20539
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=file
Oct 30 07:18:47 iago kernel: audit(1193750327.416:269): avc:  denied  { write }
for  pid=2882 comm="rpc.statd" name="rpc.statd.pid" dev=dm-1 ino=20539
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=file
Oct 30 07:18:47 iago kernel: audit(1193750327.517:270): avc:  denied  { read }
for  pid=2882 comm="rpc.statd" name="earth.cora.nwra.com" dev=dm-1 ino=16523
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=file
Oct 30 07:18:47 iago kernel: audit(1193750327.709:271): avc:  denied  { setattr
} for  pid=2882 comm="rpc.statd" name="rpc.statd.pid" dev=dm-1 ino=20539
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-48.fc7

How reproducible:
All of my F7 machines.
Comment 1 Orion Poplawski 2007-10-30 09:49:57 EDT
There's also a rpcbind update in the mix too.
Comment 4 Steve Dickson 2007-11-01 07:27:59 EDT
There were no changes to rpc.statd in that last update. It seems
all the daemon is trying to do is create its pid file, something
it has done for a very long time. 

What changed in the policy that no longer allows rpc.statd to
create a file where its always created it? 
Comment 5 Steve Dickson 2007-11-01 07:29:12 EDT
*** Bug 358511 has been marked as a duplicate of this bug. ***
Comment 7 Daniel Walsh 2007-11-01 11:44:11 EDT
THe change that is broken in this release is that mount command is now execing
rpc.mountd which was not happening before.  SELinux policy has to be updated to
allow mount_t to execute rpc.mountd and transition that process to the rpcd_t
which would then be allowed to write the pid file.

selinux-policy-2.6.4-51.fc7

Has this transition and should fix this problem.

Note You need to log in before you can comment on or make changes to this bug.