Bug 461659 - MLS prevents nfs mounts on clients
MLS prevents nfs mounts on clients
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-mls (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-09 15:03 EDT by Robert Story
Modified: 2008-11-17 17:05 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:05:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Story 2008-09-09 15:03:39 EDT
Description of problem:
There are several problems here. On inital boot, rpbcind would not start:

type=AVC msg=audit(1220966499.004:280): avc:  denied  { create } for  pid=1654 comm="rpcbind" name="rpcbind.sock" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1220966499.014:281): avc:  denied  { name_bind } for  pid=1654 comm="rpcbind" src=111 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1220966499.018:282): avc:  denied  { name_bind } for  pid=1654 comm="rpcbind" src=111 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1220968763.706:280): avc:  denied  { create } for  pid=1683 comm="rpcbind" name="rpcbind.sock" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1220968763.753:281): avc:  denied  { name_bind } for  pid=1683 comm="rpcbind" src=111 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=udp_socket                                                                              type=AVC msg=audit(1220968763.756:282): avc:  denied  { name_bind } for  pid=1683 comm="rpcbind" src=111 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:portmap_port_t
:s0 tclass=tcp_socket                                                     
                                                                                                                            Sep  9 10:33:16 setme rpcbind: cannot bind * on udp: Permission denied
Sep  9 10:33:17 setme rpcbind: cannot bind tcp: Permission denied                                                                                                                                     

trying a mount results in:

Sep  9 10:36:56 setme kernel: RPC: failed to contact local rpcbind server (errno 5).
Sep  9 10:37:21 setme kernel: RPC: failed to contact local rpcbind server (errno 512).
Sep  9 10:37:51 setme kernel: rpcbind: server localhost not responding, timed out


also, 'run_init service rpcbind stop' failed. Allowing ptrace fixes this. Here is the minimal policy I came up with:

module myrpcclient 1.0.1;
                                                                                                   require {
        type var_run_t;
        type portmap_port_t;                                                                                       
        type initrc_t;       
        type rpcd_t;                    
        class process ptrace;                             
        class sock_file create;
        class tcp_socket name_bind;                                   
        class udp_socket name_bind;                                                                }
                                                                                                   #============= initrc_t ==============                                                             allow initrc_t portmap_port_t:tcp_socket name_bind;                                                allow initrc_t portmap_port_t:udp_socket name_bind;                                                allow initrc_t var_run_t:sock_file create;
# idmap is rpcd_t                                                                                  allow initrc_t rpcd_t:process ptrace;                                                              # rpcbind it initrc_t
allow initrc_t initrc_t:process ptrace; 

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.3.1-84.fc9.noarch

How reproducible:
always

Steps to Reproduce:
1. boot mls system
2. try a nfs mount. it will fail.
3. try to stop rpcbind. it will fail
4. load above policy.
5. stop rpcbind. start rpcbind.
6. try nfs mount. should work.
  
Actual results:
failure/timeouts

Expected results:
nfs mount works, run_init service rpcbind stop works.

Additional info:
two avcs remain when restarting rpcbind, but mount seems to work ok anyways:

type=AVC msg=audit(1220971179.384:350): avc:  denied  { name_bind } for  pid=2728 comm="rpcbind" src=784 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1220971179.386:351): avc:  denied  { listen } for  pid=2728 comm="rpcbind" lport=38725 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=udp_socket
Comment 1 Daniel Walsh 2008-09-11 09:22:43 EDT
Why is rpcbind running as initrc_t?  Looks like you have it labeled incorrectly.

restorecon -R /sbin/rpcbind

You should never have any daemon processes running as initrc_t on an MLS machine.   They should transition to a confined domain.
Comment 2 Robert Story 2008-09-11 11:46:44 EDT
Sorry, but it is running as initrc_t, and restorecon did nothing:

[root@c51 ~]# ll -Z /sbin/rpcbind
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       /sbin/rpcbind
[root@c51 ~]# restorecon -v -R /sbin/rpcbind
[root@c51 ~]# ll -Z /sbin/rpcbind
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       /sbin/rpcbind
[root@c51 ~]# run_init service rpcbind status
Authenticating root.
Password:
rpcbind (pid 1635) is running...
[root@c51 ~]# ps -efZ |grep bind
system_u:system_r:initrc_t:s0-s15:c0.c1023 rpc 1635 1  0 Sep09 ?       00:00:00 rpcbind

This is a recent F9 install, which was switched to MLS immediately after install. 

[root@c51 files]# pwd
/etc/selinux/mls/contexts/files
[root@c51 files]# grep rpcbind *
[root@c51 files]#
Comment 3 Daniel Walsh 2008-09-11 13:09:30 EDT
Oops you are right rpcbind policy is not included in F9 MLS Policy

Fixed in selinux-policy-3.3.1-90.fc9.src.rpm
Comment 4 Daniel Walsh 2008-11-17 17:05:41 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.