461659 – MLS prevents nfs mounts on clients

Bug 461659 - MLS prevents nfs mounts on clients

Summary: MLS prevents nfs mounts on clients

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-mls
Sub Component:
Version:	9
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-09-09 19:03 UTC by Robert Story
Modified:	2008-11-17 22:05 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-11-17 22:05:41 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Robert Story 2008-09-09 19:03:39 UTC

Description of problem:
There are several problems here. On inital boot, rpbcind would not start:

type=AVC msg=audit(1220966499.004:280): avc:  denied  { create } for  pid=1654 comm="rpcbind" name="rpcbind.sock" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1220966499.014:281): avc:  denied  { name_bind } for  pid=1654 comm="rpcbind" src=111 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1220966499.018:282): avc:  denied  { name_bind } for  pid=1654 comm="rpcbind" src=111 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1220968763.706:280): avc:  denied  { create } for  pid=1683 comm="rpcbind" name="rpcbind.sock" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1220968763.753:281): avc:  denied  { name_bind } for  pid=1683 comm="rpcbind" src=111 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=udp_socket                                                                              type=AVC msg=audit(1220968763.756:282): avc:  denied  { name_bind } for  pid=1683 comm="rpcbind" src=111 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:portmap_port_t
:s0 tclass=tcp_socket                                                     
                                                                                                                            Sep  9 10:33:16 setme rpcbind: cannot bind * on udp: Permission denied
Sep  9 10:33:17 setme rpcbind: cannot bind tcp: Permission denied                                                                                                                                     

trying a mount results in:

Sep  9 10:36:56 setme kernel: RPC: failed to contact local rpcbind server (errno 5).
Sep  9 10:37:21 setme kernel: RPC: failed to contact local rpcbind server (errno 512).
Sep  9 10:37:51 setme kernel: rpcbind: server localhost not responding, timed out


also, 'run_init service rpcbind stop' failed. Allowing ptrace fixes this. Here is the minimal policy I came up with:

module myrpcclient 1.0.1;
                                                                                                   require {
        type var_run_t;
        type portmap_port_t;                                                                                       
        type initrc_t;       
        type rpcd_t;                    
        class process ptrace;                             
        class sock_file create;
        class tcp_socket name_bind;                                   
        class udp_socket name_bind;                                                                }
                                                                                                   #============= initrc_t ==============                                                             allow initrc_t portmap_port_t:tcp_socket name_bind;                                                allow initrc_t portmap_port_t:udp_socket name_bind;                                                allow initrc_t var_run_t:sock_file create;
# idmap is rpcd_t                                                                                  allow initrc_t rpcd_t:process ptrace;                                                              # rpcbind it initrc_t
allow initrc_t initrc_t:process ptrace; 

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.3.1-84.fc9.noarch

How reproducible:
always

Steps to Reproduce:
1. boot mls system
2. try a nfs mount. it will fail.
3. try to stop rpcbind. it will fail
4. load above policy.
5. stop rpcbind. start rpcbind.
6. try nfs mount. should work.
  
Actual results:
failure/timeouts

Expected results:
nfs mount works, run_init service rpcbind stop works.

Additional info:
two avcs remain when restarting rpcbind, but mount seems to work ok anyways:

type=AVC msg=audit(1220971179.384:350): avc:  denied  { name_bind } for  pid=2728 comm="rpcbind" src=784 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1220971179.386:351): avc:  denied  { listen } for  pid=2728 comm="rpcbind" lport=38725 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=udp_socket

Comment 1 Daniel Walsh 2008-09-11 13:22:43 UTC

Why is rpcbind running as initrc_t?  Looks like you have it labeled incorrectly.

restorecon -R /sbin/rpcbind

You should never have any daemon processes running as initrc_t on an MLS machine.   They should transition to a confined domain.

Comment 2 Robert Story 2008-09-11 15:46:44 UTC

Sorry, but it is running as initrc_t, and restorecon did nothing:

[root@c51 ~]# ll -Z /sbin/rpcbind
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       /sbin/rpcbind
[root@c51 ~]# restorecon -v -R /sbin/rpcbind
[root@c51 ~]# ll -Z /sbin/rpcbind
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       /sbin/rpcbind
[root@c51 ~]# run_init service rpcbind status
Authenticating root.
Password:
rpcbind (pid 1635) is running...
[root@c51 ~]# ps -efZ |grep bind
system_u:system_r:initrc_t:s0-s15:c0.c1023 rpc 1635 1  0 Sep09 ?       00:00:00 rpcbind

This is a recent F9 install, which was switched to MLS immediately after install. 

[root@c51 files]# pwd
/etc/selinux/mls/contexts/files
[root@c51 files]# grep rpcbind *
[root@c51 files]#

Comment 3 Daniel Walsh 2008-09-11 17:09:30 UTC

Oops you are right rpcbind policy is not included in F9 MLS Policy

Fixed in selinux-policy-3.3.1-90.fc9.src.rpm

Comment 4 Daniel Walsh 2008-11-17 22:05:41 UTC

Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.