451805 – RHEL5.2 |SELINUX: Restarting portmap service shows "not registered portmapper" message

Bug 451805 - RHEL5.2 |SELINUX: Restarting portmap service shows "not registered portmapper" message

Summary: RHEL5.2 |SELINUX: Restarting portmap service shows "not registered portmapper...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.2
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Steve Dickson
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-06-17 14:22 UTC by manoj
Modified:	2014-01-24 13:23 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-01-20 21:32:31 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
output of /CoreOS/selinux-policy/bugzillas/451805 test (5.56 KB, text/plain) 2008-10-03 14:19 UTC, Milos Malik	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2009:0163	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2009-01-20 16:05:21 UTC

Description manoj 2008-06-17 14:22:40 UTC

Steps to Reproduce:
1.Install RHEL5u2 OS with SELinux enforced in enforcing mode.
2.Boot the system.
3.Restart portmap service /etc/init.d/portmap restart

[root@lifo ~]# /etc/init.d/portmap restart
Stopping portmap:                                          [  OK  ]
Starting portmap:                                          [  OK  ]
not registered:     100000    2   tcp    111  portmapper
not registered:     100000    2   udp    111  portmapper

tail -f /var/log/messages o/p given below

Jun 17 19:28:20 lifo portmap[11495]: connect from 127.0.0.1 to set(portmapper):
request from unprivileged port
Jun 17 19:48:46 lifo portmap[11610]: connect from 127.0.0.1 to set(portmapper):
request from unprivileged port
Jun 17 19:48:46 lifo portmap[11611]: connect from 127.0.0.1 to set(portmapper):
request from unprivileged port



Additional info:When i change to permissive mode of SELinux using setenforce 0
and then i restart Portmap there is no issue as given below
[root@lifo ~]# /etc/init.d/portmap restart
Stopping portmap:                                          [  OK  ]
Starting portmap:                                          [  OK  ]

Comment 1 Steve Dickson 2008-06-24 11:13:35 UTC

Dan,

Has there been any recent fixes to the SELinux policies 
that would address this problem?

Comment 2 Daniel Walsh 2008-06-24 11:20:03 UTC

What AVC's are you seeing?

grep avc /var/log/audit/audit.log or /var/log/messages

Comment 3 manoj 2008-06-24 11:29:10 UTC

I couldn't see any AVC messages and SELinux Troubleshoot Alerts while testing
this scenario.I have pasted /var/log/messages content in my previous comment.
Thanks.

Comment 4 Daniel Walsh 2008-06-25 10:58:38 UTC

Does portmapper work?  Even with generating these errors?

SELinux policy for portmap has

# portmap binds to arbitary ports
corenet_tcp_bind_generic_port(portmap_t)
corenet_udp_bind_generic_port(portmap_t)
corenet_tcp_bind_reserved_port(portmap_t)
corenet_udp_bind_reserved_port(portmap_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
corenet_dontaudit_udp_bind_all_reserved_ports(portmap_t)

This says that SELinux is allowing portmap to bind to all ports that do not have
a defined port.  SELinux maps types/labels to lots of ports.  Any with a label
portmapper will not be allowed to bind, and then will get a different one.
The attempt will be dontaudited.  If you execute 

# semanage port -l

you will see the list of defined ports.

portmap then complains about the ports it is not allowed to bind.  But it should
continue to try to find a port.

Comment 5 Sudhir Menon 2008-06-25 12:19:33 UTC

I could see the portmap service running.

rpc  13061   1   0   17:23   ?   00:00:00  portmap <--- ps -ef | grep portmap

But when i try to mount the share from the client it gives the below error

showmount -e 10.1.4.32  (10.1.4.32 is the NFS Server)
mount clntudp_create: RPC: Program not registered.

mount 10.1.4.32:/home/share1  /test1 
mount: mount to NFS Server '10.1.4.32' failed: RPC Error: Program not registered.

Comment 6 Sudhir Menon 2008-06-25 12:50:24 UTC

# semanage port -l | grep 111 gives the below output

portmap_port_t                 tcp      111
portmap_port_t                 udp      111
ricci_port_t                   tcp      11111
ricci_port_t                   udp      11111

Comment 7 Daniel Walsh 2008-06-30 21:16:12 UTC

Try turning off dontaudit rules
# semodule -i /usr/share/selinux/targeted/enableaudit.pp
# service portmap restart
Look for avc messages
Turn back on dontaudit rules.
# semodule -i /usr/share/selinux/targeted/base.pp

Comment 8 Sudhir Menon 2008-07-02 05:27:37 UTC

# semodule -i /usr/share/selinux/targeted/enableaudit.pp 

Even after executing the above command with(SElinux=enforcing) and restarting
portmap service there are no avc messages displayed in the /var/log/messages
file or /var/log/audit/audit.log file.

But executing the same command gives the below output on the console.

# semodule -i /usr/share/selinux/targeted/enableaudit.pp

libsemanage.parse_module_headers: Received a base module, expected a non-base
module.
semodule:  Failed on /usr/share/selinux/targeted/enableaudit.pp!

Similarly for this command also

#semodule -i /usr/share/selinux/targeted/base.pp
libsemanage.parse_module_headers: Received a base module, expected a non-base
module.
semodule:  Failed on /usr/share/selinux/targeted/base.pp!

Comment 9 Daniel Walsh 2008-07-02 13:56:34 UTC

Sorry should have been -b

Try turning off dontaudit rules
# semodule -b /usr/share/selinux/targeted/enableaudit.pp
# service portmap restart
Look for avc messages
Turn back on dontaudit rules.
# semodule -b /usr/share/selinux/targeted/base.pp

Comment 10 manoj 2008-07-03 06:40:00 UTC

[root@lifo ~]# tail -f /var/log/audit/audit.log 
type=AVC msg=audit(1215066907.602:50): avc:  denied  { name_bind } for 
pid=11411 comm="portmap" src=987 scontext=root:system_r:portmap_t:s0
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket

type=SYSCALL msg=audit(1215066907.602:50): arch=c000003e syscall=49 success=no
exit=-13 a0=3 a1=7fffa0990fc0 a2=10 a3=0 items=0 ppid=11410 pid=11411 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1
comm="portmap" exe="/sbin/portmap" subj=root:system_r:portmap_t:s0 key=(null)

type=AVC msg=audit(1215066907.602:51): avc:  denied  { name_bind } for 
pid=11411 comm="portmap" src=988 scontext=root:system_r:portmap_t:s0
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1215066907.602:51): arch=c000003e syscall=49 success=no
exit=-13 a0=4 a1=7fffa0990fc0 a2=10 a3=0 items=0 ppid=11410 pid=11411 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1
comm="portmap" exe="/sbin/portmap" subj=root:system_r:portmap_t:s0 key=(null)

type=AVC msg=audit(1215066907.607:52): avc:  denied  { name_bind } for 
pid=11413 comm="pmap_set" src=989 scontext=root:system_r:portmap_helper_t:s0
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket

type=SYSCALL msg=audit(1215066907.607:52): arch=c000003e syscall=49 success=no
exit=-13 a0=3 a1=7fff959c2e50 a2=10 a3=486c731b items=0 ppid=11396 pid=11413
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts33 ses=1
comm="pmap_set" exe="/usr/sbin/pmap_set" subj=root:system_r:portmap_helper_t:s0
key=(null)

type=AVC msg=audit(1215066907.609:53): avc:  denied  { name_bind } for 
pid=11413 comm="pmap_set" src=990 scontext=root:system_r:portmap_helper_t:s0
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket

type=SYSCALL msg=audit(1215066907.609:53): arch=c000003e syscall=49 success=no
exit=-13 a0=3 a1=7fff959c2e50 a2=10 a3=3 items=0 ppid=11396 pid=11413 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts33 ses=1
comm="pmap_set" exe="/usr/sbin/pmap_set" subj=root:system_r:portmap_helper_t:s0
key=(null)

Comment 11 Daniel Walsh 2008-07-16 18:34:29 UTC

Fixed in selinux-policy-2.4.6-142.el5

Comment 12 RHEL Program Management 2008-07-16 18:39:57 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 15 Milos Malik 2008-10-03 14:19:52 UTC

Created attachment 319368 [details]
output of /CoreOS/selinux-policy/bugzillas/451805 test

Comment 16 Milos Malik 2008-10-03 14:25:11 UTC

Dan, could you please look at the attachment. The file contains some AVCs which appeared during the test. Before I ran the test I loaded the enableaudit policy package.

Comment 17 Daniel Walsh 2008-10-03 15:38:47 UTC

Looks like a bug

Fixed in selinux-policy-2.4.6-163.el5

Comment 20 errata-xmlrpc 2009-01-20 21:32:31 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html

Note You need to log in before you can comment on or make changes to this bug.