Bug 461371 - Selinux prevents NFS statd from starting
Selinux prevents NFS statd from starting
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-06 18:22 EDT by Paul Smith
Modified: 2008-12-16 10:07 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-07 10:22:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul Smith 2008-09-06 18:22:38 EDT
With Selinux runing on enforcing mode, NFS statd cannot start. However, if I turn Selinux to permissive mode, there is no problem.

Paul
Comment 1 Paul Smith 2008-09-07 05:57:40 EDT
The messages that I get are:

----------------

Summary:

SELinux is preventing the rpcbind from using potentially mislabeled files
(./services).

Detailed Description:

SELinux has denied rpcbind access to potentially mislabeled file(s)
(./services). This means that SELinux will not allow rpcbind to use these files.
It is common for users to edit files in their home directory or tmp directories
and then move (mv) them to system directories. The problem is that the files end
up with the wrong file context which confined applications are not allowed to
access.

Allowing Access:

If you want rpcbind to access this files, you need to relabel them using
restorecon -v './services'. You might want to relabel the entire directory using
restorecon -R -v '.'.

Additional Information:

Source Context                unconfined_u:system_r:rpcbind_t:s0
Target Context                unconfined_u:object_r:rpm_script_tmp_t:s0
Target Objects                ./services [ file ]
Source                        rpcbind
Source Path                   /sbin/rpcbind
Port                          <Unknown>
Host                          mypc
Source RPM Packages           rpcbind-0.1.4-16.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-84.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     mypc
Platform                      Linux mypc 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug 4
                              14:08:11 EDT 2008 i686 i686
Alert Count                   73
First Seen                    Sat 06 Sep 2008 10:36:32 PM WEST
Last Seen                     Sun 07 Sep 2008 10:42:52 AM WEST
Local ID                      1107afa5-a33e-457b-b65c-e7fec26fb64d
Line Numbers                  

Raw Audit Messages            

host=mypc type=AVC msg=audit(1220780572.503:49): avc:  denied  { read } for  pid=4150 comm="rpcbind" name="services" dev=dm-0 ino=11649032 scontext=unconfined_u:system_r:rpcbind_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file

host=mypc type=SYSCALL msg=audit(1220780572.503:49): arch=40000003 syscall=5 success=no exit=-13 a0=30ef06 a1=80000 a2=1b6 a3=80000 items=0 ppid=4149 pid=4150 auid=500 uid=32 gid=0 euid=32 suid=32 fsuid=32 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="rpcbind" exe="/sbin/rpcbind" subj=unconfined_u:system_r:rpcbind_t:s0 key=(null)

----------------

Paul
Comment 2 Paul Smith 2008-09-07 10:22:21 EDT
The problem was solved with a relabeling. So, it is not a bug, and I am going to close it.

Paul
Comment 3 Daniel Walsh 2008-09-08 09:18:05 EDT
This is caused by a bug in the post install of the vmware package.  vmware edits the /etc/services file in /tmp in the post install of rpm and then mv's it to /etc.  This ends up labeling the file rpm_script_tmp_t.  restorecon /etc/services would fix the problem.
Comment 4 Gerard Fernandes 2008-12-16 02:38:51 EST
I get this error as well and I have no VM-Ware installed on my system (except for this package which seems to get pulled in somehow: xorg-x11-drv-vmware-10.16.0-1.fc9.i386).
The end result is the same: ntp statd fails to start.

Here is the SE Linux alert detail:

Summary:

SELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t.

Detailed Description:

SELinux denied access requested by rpcbind. It is not expected that this access
is required by rpcbind and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:rpcbind_t:s0
Target Context                unconfined_u:system_r:rpcbind_t:s0
Target Objects                None [ capability ]
Source                        rpcbind
Source Path                   /sbin/rpcbind
Port                          <Unknown>
Host                          achiles.fernandes.net
Source RPM Packages           rpcbind-0.1.7-1.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-111.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     achiles.fernandes.net
Platform                      Linux achiles.fernandes.net 2.6.27.5-41.fc9.i686
                              #1 SMP Thu Nov 13 20:52:14 EST 2008 i686 i686
Alert Count                   1
First Seen                    Sun 14 Dec 2008 11:49:59 AM GMT
Last Seen                     Sun 14 Dec 2008 11:49:59 AM GMT
Local ID                      14d460c6-e46a-4766-af5c-d34997e8a0ea
Line Numbers                  

Raw Audit Messages            

node=achiles.fernandes.net type=AVC msg=audit(1229255399.217:38): avc:  denied  { setgid } for  pid=7637 comm="rpcbind" capability=6 scontext=unconfined_u:system_r:rpcbind_t:s0 tcontext=unconfined_u:system_r:rpcbind_t:s0 tclass=capability

node=achiles.fernandes.net type=SYSCALL msg=audit(1229255399.217:38): arch=40000003 syscall=214 success=no exit=-1 a0=20 a1=2db9bc a2=2105b0 a3=bfe32b50 items=0 ppid=7636 pid=7637 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="rpcbind" exe="/sbin/rpcbind" subj=unconfined_u:system_r:rpcbind_t:s0 key=(null)
Comment 5 Daniel Walsh 2008-12-16 10:07:13 EST
Latest selinux policy should fix this.

Note You need to log in before you can comment on or make changes to this bug.