Description of problem: There are several problems here. On inital boot, rpbcind would not start: type=AVC msg=audit(1220966499.004:280): avc: denied { create } for pid=1654 comm="rpcbind" name="rpcbind.sock" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file type=AVC msg=audit(1220966499.014:281): avc: denied { name_bind } for pid=1654 comm="rpcbind" src=111 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=udp_socket type=AVC msg=audit(1220966499.018:282): avc: denied { name_bind } for pid=1654 comm="rpcbind" src=111 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1220968763.706:280): avc: denied { create } for pid=1683 comm="rpcbind" name="rpcbind.sock" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file type=AVC msg=audit(1220968763.753:281): avc: denied { name_bind } for pid=1683 comm="rpcbind" src=111 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=udp_socket type=AVC msg=audit(1220968763.756:282): avc: denied { name_bind } for pid=1683 comm="rpcbind" src=111 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:portmap_port_t :s0 tclass=tcp_socket Sep 9 10:33:16 setme rpcbind: cannot bind * on udp: Permission denied Sep 9 10:33:17 setme rpcbind: cannot bind tcp: Permission denied trying a mount results in: Sep 9 10:36:56 setme kernel: RPC: failed to contact local rpcbind server (errno 5). Sep 9 10:37:21 setme kernel: RPC: failed to contact local rpcbind server (errno 512). Sep 9 10:37:51 setme kernel: rpcbind: server localhost not responding, timed out also, 'run_init service rpcbind stop' failed. Allowing ptrace fixes this. Here is the minimal policy I came up with: module myrpcclient 1.0.1; require { type var_run_t; type portmap_port_t; type initrc_t; type rpcd_t; class process ptrace; class sock_file create; class tcp_socket name_bind; class udp_socket name_bind; } #============= initrc_t ============== allow initrc_t portmap_port_t:tcp_socket name_bind; allow initrc_t portmap_port_t:udp_socket name_bind; allow initrc_t var_run_t:sock_file create; # idmap is rpcd_t allow initrc_t rpcd_t:process ptrace; # rpcbind it initrc_t allow initrc_t initrc_t:process ptrace; Version-Release number of selected component (if applicable): selinux-policy-mls-3.3.1-84.fc9.noarch How reproducible: always Steps to Reproduce: 1. boot mls system 2. try a nfs mount. it will fail. 3. try to stop rpcbind. it will fail 4. load above policy. 5. stop rpcbind. start rpcbind. 6. try nfs mount. should work. Actual results: failure/timeouts Expected results: nfs mount works, run_init service rpcbind stop works. Additional info: two avcs remain when restarting rpcbind, but mount seems to work ok anyways: type=AVC msg=audit(1220971179.384:350): avc: denied { name_bind } for pid=2728 comm="rpcbind" src=784 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket type=AVC msg=audit(1220971179.386:351): avc: denied { listen } for pid=2728 comm="rpcbind" lport=38725 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=udp_socket
Why is rpcbind running as initrc_t? Looks like you have it labeled incorrectly. restorecon -R /sbin/rpcbind You should never have any daemon processes running as initrc_t on an MLS machine. They should transition to a confined domain.
Sorry, but it is running as initrc_t, and restorecon did nothing: [root@c51 ~]# ll -Z /sbin/rpcbind -rwxr-xr-x root root system_u:object_r:bin_t:s0 /sbin/rpcbind [root@c51 ~]# restorecon -v -R /sbin/rpcbind [root@c51 ~]# ll -Z /sbin/rpcbind -rwxr-xr-x root root system_u:object_r:bin_t:s0 /sbin/rpcbind [root@c51 ~]# run_init service rpcbind status Authenticating root. Password: rpcbind (pid 1635) is running... [root@c51 ~]# ps -efZ |grep bind system_u:system_r:initrc_t:s0-s15:c0.c1023 rpc 1635 1 0 Sep09 ? 00:00:00 rpcbind This is a recent F9 install, which was switched to MLS immediately after install. [root@c51 files]# pwd /etc/selinux/mls/contexts/files [root@c51 files]# grep rpcbind * [root@c51 files]#
Oops you are right rpcbind policy is not included in F9 MLS Policy Fixed in selinux-policy-3.3.1-90.fc9.src.rpm
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.