This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 451805 - RHEL5.2 |SELINUX: Restarting portmap service shows "not registered portmapper" message
RHEL5.2 |SELINUX: Restarting portmap service shows "not registered portmapper...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.2
x86_64 Linux
low Severity urgent
: rc
: ---
Assigned To: Steve Dickson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-17 10:22 EDT by manoj
Modified: 2014-01-24 08:23 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 16:32:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
output of /CoreOS/selinux-policy/bugzillas/451805 test (5.56 KB, text/plain)
2008-10-03 10:19 EDT, Milos Malik
no flags Details

  None (edit)
Description manoj 2008-06-17 10:22:40 EDT
Steps to Reproduce:
1.Install RHEL5u2 OS with SELinux enforced in enforcing mode.
2.Boot the system.
3.Restart portmap service /etc/init.d/portmap restart

[root@lifo ~]# /etc/init.d/portmap restart
Stopping portmap:                                          [  OK  ]
Starting portmap:                                          [  OK  ]
not registered:     100000    2   tcp    111  portmapper
not registered:     100000    2   udp    111  portmapper

tail -f /var/log/messages o/p given below

Jun 17 19:28:20 lifo portmap[11495]: connect from 127.0.0.1 to set(portmapper):
request from unprivileged port
Jun 17 19:48:46 lifo portmap[11610]: connect from 127.0.0.1 to set(portmapper):
request from unprivileged port
Jun 17 19:48:46 lifo portmap[11611]: connect from 127.0.0.1 to set(portmapper):
request from unprivileged port



Additional info:When i change to permissive mode of SELinux using setenforce 0
and then i restart Portmap there is no issue as given below
[root@lifo ~]# /etc/init.d/portmap restart
Stopping portmap:                                          [  OK  ]
Starting portmap:                                          [  OK  ]
Comment 1 Steve Dickson 2008-06-24 07:13:35 EDT
Dan,

Has there been any recent fixes to the SELinux policies 
that would address this problem?
Comment 2 Daniel Walsh 2008-06-24 07:20:03 EDT
What AVC's are you seeing?

grep avc /var/log/audit/audit.log or /var/log/messages
Comment 3 manoj 2008-06-24 07:29:10 EDT
I couldn't see any AVC messages and SELinux Troubleshoot Alerts while testing
this scenario.I have pasted /var/log/messages content in my previous comment.
Thanks.
Comment 4 Daniel Walsh 2008-06-25 06:58:38 EDT
Does portmapper work?  Even with generating these errors?

SELinux policy for portmap has

# portmap binds to arbitary ports
corenet_tcp_bind_generic_port(portmap_t)
corenet_udp_bind_generic_port(portmap_t)
corenet_tcp_bind_reserved_port(portmap_t)
corenet_udp_bind_reserved_port(portmap_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
corenet_dontaudit_udp_bind_all_reserved_ports(portmap_t)

This says that SELinux is allowing portmap to bind to all ports that do not have
a defined port.  SELinux maps types/labels to lots of ports.  Any with a label
portmapper will not be allowed to bind, and then will get a different one.
The attempt will be dontaudited.  If you execute 

# semanage port -l

you will see the list of defined ports.

portmap then complains about the ports it is not allowed to bind.  But it should
continue to try to find a port.
Comment 5 Sudhir Menon 2008-06-25 08:19:33 EDT
I could see the portmap service running.

rpc  13061   1   0   17:23   ?   00:00:00  portmap <--- ps -ef | grep portmap

But when i try to mount the share from the client it gives the below error

showmount -e 10.1.4.32  (10.1.4.32 is the NFS Server)
mount clntudp_create: RPC: Program not registered.

mount 10.1.4.32:/home/share1  /test1 
mount: mount to NFS Server '10.1.4.32' failed: RPC Error: Program not registered.
Comment 6 Sudhir Menon 2008-06-25 08:50:24 EDT
# semanage port -l | grep 111 gives the below output

portmap_port_t                 tcp      111
portmap_port_t                 udp      111
ricci_port_t                   tcp      11111
ricci_port_t                   udp      11111
Comment 7 Daniel Walsh 2008-06-30 17:16:12 EDT
Try turning off dontaudit rules
# semodule -i /usr/share/selinux/targeted/enableaudit.pp
# service portmap restart
Look for avc messages
Turn back on dontaudit rules.
# semodule -i /usr/share/selinux/targeted/base.pp
Comment 8 Sudhir Menon 2008-07-02 01:27:37 EDT
# semodule -i /usr/share/selinux/targeted/enableaudit.pp 

Even after executing the above command with(SElinux=enforcing) and restarting
portmap service there are no avc messages displayed in the /var/log/messages
file or /var/log/audit/audit.log file.

But executing the same command gives the below output on the console.

# semodule -i /usr/share/selinux/targeted/enableaudit.pp

libsemanage.parse_module_headers: Received a base module, expected a non-base
module.
semodule:  Failed on /usr/share/selinux/targeted/enableaudit.pp!

Similarly for this command also

#semodule -i /usr/share/selinux/targeted/base.pp
libsemanage.parse_module_headers: Received a base module, expected a non-base
module.
semodule:  Failed on /usr/share/selinux/targeted/base.pp!

Comment 9 Daniel Walsh 2008-07-02 09:56:34 EDT
Sorry should have been -b

Try turning off dontaudit rules
# semodule -b /usr/share/selinux/targeted/enableaudit.pp
# service portmap restart
Look for avc messages
Turn back on dontaudit rules.
# semodule -b /usr/share/selinux/targeted/base.pp
Comment 10 manoj 2008-07-03 02:40:00 EDT
[root@lifo ~]# tail -f /var/log/audit/audit.log 
type=AVC msg=audit(1215066907.602:50): avc:  denied  { name_bind } for 
pid=11411 comm="portmap" src=987 scontext=root:system_r:portmap_t:s0
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket

type=SYSCALL msg=audit(1215066907.602:50): arch=c000003e syscall=49 success=no
exit=-13 a0=3 a1=7fffa0990fc0 a2=10 a3=0 items=0 ppid=11410 pid=11411 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1
comm="portmap" exe="/sbin/portmap" subj=root:system_r:portmap_t:s0 key=(null)

type=AVC msg=audit(1215066907.602:51): avc:  denied  { name_bind } for 
pid=11411 comm="portmap" src=988 scontext=root:system_r:portmap_t:s0
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1215066907.602:51): arch=c000003e syscall=49 success=no
exit=-13 a0=4 a1=7fffa0990fc0 a2=10 a3=0 items=0 ppid=11410 pid=11411 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1
comm="portmap" exe="/sbin/portmap" subj=root:system_r:portmap_t:s0 key=(null)

type=AVC msg=audit(1215066907.607:52): avc:  denied  { name_bind } for 
pid=11413 comm="pmap_set" src=989 scontext=root:system_r:portmap_helper_t:s0
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket

type=SYSCALL msg=audit(1215066907.607:52): arch=c000003e syscall=49 success=no
exit=-13 a0=3 a1=7fff959c2e50 a2=10 a3=486c731b items=0 ppid=11396 pid=11413
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts33 ses=1
comm="pmap_set" exe="/usr/sbin/pmap_set" subj=root:system_r:portmap_helper_t:s0
key=(null)

type=AVC msg=audit(1215066907.609:53): avc:  denied  { name_bind } for 
pid=11413 comm="pmap_set" src=990 scontext=root:system_r:portmap_helper_t:s0
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket

type=SYSCALL msg=audit(1215066907.609:53): arch=c000003e syscall=49 success=no
exit=-13 a0=3 a1=7fff959c2e50 a2=10 a3=3 items=0 ppid=11396 pid=11413 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts33 ses=1
comm="pmap_set" exe="/usr/sbin/pmap_set" subj=root:system_r:portmap_helper_t:s0
key=(null)
Comment 11 Daniel Walsh 2008-07-16 14:34:29 EDT
Fixed in selinux-policy-2.4.6-142.el5 
Comment 12 RHEL Product and Program Management 2008-07-16 14:39:57 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 15 Milos Malik 2008-10-03 10:19:52 EDT
Created attachment 319368 [details]
output of /CoreOS/selinux-policy/bugzillas/451805 test
Comment 16 Milos Malik 2008-10-03 10:25:11 EDT
Dan, could you please look at the attachment. The file contains some AVCs which appeared during the test. Before I ran the test I loaded the enableaudit policy package.
Comment 17 Daniel Walsh 2008-10-03 11:38:47 EDT
Looks like a bug

Fixed in selinux-policy-2.4.6-163.el5
Comment 20 errata-xmlrpc 2009-01-20 16:32:31 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html

Note You need to log in before you can comment on or make changes to this bug.