Steps to Reproduce: 1.Install RHEL5u2 OS with SELinux enforced in enforcing mode. 2.Boot the system. 3.Restart portmap service /etc/init.d/portmap restart [root@lifo ~]# /etc/init.d/portmap restart Stopping portmap: [ OK ] Starting portmap: [ OK ] not registered: 100000 2 tcp 111 portmapper not registered: 100000 2 udp 111 portmapper tail -f /var/log/messages o/p given below Jun 17 19:28:20 lifo portmap[11495]: connect from 127.0.0.1 to set(portmapper): request from unprivileged port Jun 17 19:48:46 lifo portmap[11610]: connect from 127.0.0.1 to set(portmapper): request from unprivileged port Jun 17 19:48:46 lifo portmap[11611]: connect from 127.0.0.1 to set(portmapper): request from unprivileged port Additional info:When i change to permissive mode of SELinux using setenforce 0 and then i restart Portmap there is no issue as given below [root@lifo ~]# /etc/init.d/portmap restart Stopping portmap: [ OK ] Starting portmap: [ OK ]
Dan, Has there been any recent fixes to the SELinux policies that would address this problem?
What AVC's are you seeing? grep avc /var/log/audit/audit.log or /var/log/messages
I couldn't see any AVC messages and SELinux Troubleshoot Alerts while testing this scenario.I have pasted /var/log/messages content in my previous comment. Thanks.
Does portmapper work? Even with generating these errors? SELinux policy for portmap has # portmap binds to arbitary ports corenet_tcp_bind_generic_port(portmap_t) corenet_udp_bind_generic_port(portmap_t) corenet_tcp_bind_reserved_port(portmap_t) corenet_udp_bind_reserved_port(portmap_t) corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t) corenet_dontaudit_udp_bind_all_reserved_ports(portmap_t) This says that SELinux is allowing portmap to bind to all ports that do not have a defined port. SELinux maps types/labels to lots of ports. Any with a label portmapper will not be allowed to bind, and then will get a different one. The attempt will be dontaudited. If you execute # semanage port -l you will see the list of defined ports. portmap then complains about the ports it is not allowed to bind. But it should continue to try to find a port.
I could see the portmap service running. rpc 13061 1 0 17:23 ? 00:00:00 portmap <--- ps -ef | grep portmap But when i try to mount the share from the client it gives the below error showmount -e 10.1.4.32 (10.1.4.32 is the NFS Server) mount clntudp_create: RPC: Program not registered. mount 10.1.4.32:/home/share1 /test1 mount: mount to NFS Server '10.1.4.32' failed: RPC Error: Program not registered.
# semanage port -l | grep 111 gives the below output portmap_port_t tcp 111 portmap_port_t udp 111 ricci_port_t tcp 11111 ricci_port_t udp 11111
Try turning off dontaudit rules # semodule -i /usr/share/selinux/targeted/enableaudit.pp # service portmap restart Look for avc messages Turn back on dontaudit rules. # semodule -i /usr/share/selinux/targeted/base.pp
# semodule -i /usr/share/selinux/targeted/enableaudit.pp Even after executing the above command with(SElinux=enforcing) and restarting portmap service there are no avc messages displayed in the /var/log/messages file or /var/log/audit/audit.log file. But executing the same command gives the below output on the console. # semodule -i /usr/share/selinux/targeted/enableaudit.pp libsemanage.parse_module_headers: Received a base module, expected a non-base module. semodule: Failed on /usr/share/selinux/targeted/enableaudit.pp! Similarly for this command also #semodule -i /usr/share/selinux/targeted/base.pp libsemanage.parse_module_headers: Received a base module, expected a non-base module. semodule: Failed on /usr/share/selinux/targeted/base.pp!
Sorry should have been -b Try turning off dontaudit rules # semodule -b /usr/share/selinux/targeted/enableaudit.pp # service portmap restart Look for avc messages Turn back on dontaudit rules. # semodule -b /usr/share/selinux/targeted/base.pp
[root@lifo ~]# tail -f /var/log/audit/audit.log type=AVC msg=audit(1215066907.602:50): avc: denied { name_bind } for pid=11411 comm="portmap" src=987 scontext=root:system_r:portmap_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1215066907.602:50): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fffa0990fc0 a2=10 a3=0 items=0 ppid=11410 pid=11411 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="portmap" exe="/sbin/portmap" subj=root:system_r:portmap_t:s0 key=(null) type=AVC msg=audit(1215066907.602:51): avc: denied { name_bind } for pid=11411 comm="portmap" src=988 scontext=root:system_r:portmap_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1215066907.602:51): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=7fffa0990fc0 a2=10 a3=0 items=0 ppid=11410 pid=11411 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="portmap" exe="/sbin/portmap" subj=root:system_r:portmap_t:s0 key=(null) type=AVC msg=audit(1215066907.607:52): avc: denied { name_bind } for pid=11413 comm="pmap_set" src=989 scontext=root:system_r:portmap_helper_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1215066907.607:52): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff959c2e50 a2=10 a3=486c731b items=0 ppid=11396 pid=11413 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts33 ses=1 comm="pmap_set" exe="/usr/sbin/pmap_set" subj=root:system_r:portmap_helper_t:s0 key=(null) type=AVC msg=audit(1215066907.609:53): avc: denied { name_bind } for pid=11413 comm="pmap_set" src=990 scontext=root:system_r:portmap_helper_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1215066907.609:53): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff959c2e50 a2=10 a3=3 items=0 ppid=11396 pid=11413 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts33 ses=1 comm="pmap_set" exe="/usr/sbin/pmap_set" subj=root:system_r:portmap_helper_t:s0 key=(null)
Fixed in selinux-policy-2.4.6-142.el5
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Created attachment 319368 [details] output of /CoreOS/selinux-policy/bugzillas/451805 test
Dan, could you please look at the attachment. The file contains some AVCs which appeared during the test. Before I ran the test I loaded the enableaudit policy package.
Looks like a bug Fixed in selinux-policy-2.4.6-163.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0163.html