Bug 477020 - selinux prevents the rpcbind service from starting
Summary: selinux prevents the rpcbind service from starting
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 9
Hardware: x86_64
OS: Linux
low
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-12-18 17:55 UTC by Jeroen Beerstra
Modified: 2008-12-18 19:34 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-12-18 19:34:20 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jeroen Beerstra 2008-12-18 17:55:17 UTC
Description of problem:

Selinux prevents the rpcbind service from starting and because of this nfs doesn't work.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.3.1-111.fc9.noarch
rpcbind-0.1.7-1.fc9.x86_64

How reproducible:

Boot an up2date F9

Steps to Reproduce:
1. Boot
2. rpcbind causes an AVC
3. nfs doesn't start completely and because of this you are unable to mount nfs volumes 
  
Actual results:

Nfs does not work

Expected results:

All related services should start as they did before

Additional info:

With SELinux in permissive mode, after restarting the rpcbind and nfs services, mounting nfs volumes works as expected.


Samenvatting:

SELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t.

Gedetailleerde omschrijving:

SELinux denied access requested by rpcbind. It is not expected that this access
is required by rpcbind and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additionele informatie:

Source Context                unconfined_u:system_r:rpcbind_t:s0
Target Context                unconfined_u:system_r:rpcbind_t:s0
Target Objects                None [ capability ]
Bron                          rpcbind
Source Path                   /sbin/rpcbind
Poort                         <Onbekend>
Host                          morphius.lokaal.net
Source RPM Packages           rpcbind-0.1.7-1.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-111.fc9
SELinux aangezet              True
Policy Type                   targeted
MLS aangezet                  True
Enforcing Mode                Enforcing
Pluginnaam                    catchall
Hostnaam                      morphius.lokaal.net
Platform                      Linux morphius.lokaal.net 2.6.27.7-53.fc9.x86_64
                              #1 SMP Thu Nov 27 02:05:02 EST 2008 x86_64 x86_64
Aantal waarschuwingen         6
Eerst gezien op               za 13 dec 2008 20:50:16 CET
Laatst gezien op              do 18 dec 2008 18:42:21 CET
Local ID                      66dbb0f8-16b7-4236-9097-4773acff4d99
Regelnummers                  

Raw Audit Messages            

node=morphius.lokaal.net type=AVC msg=audit(1229622141.655:68): avc:  denied  { setgid } for  pid=12192 comm="rpcbind" capability=6 scontext=unconfined_u:system_r:rpcbind_t:s0 tcontext=unconfined_u:system_r:rpcbind_t:s0 tclass=capability

node=morphius.lokaal.net type=SYSCALL msg=audit(1229622141.655:68): arch=c000003e syscall=106 success=no exit=-1 a0=20 a1=20 a2=1 a3=7f62d3e456f0 items=0 ppid=1 pid=12192 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="rpcbind" exe="/sbin/rpcbind" subj=unconfined_u:system_r:rpcbind_t:s0 key=(null)

Comment 1 Daniel Walsh 2008-12-18 19:34:20 UTC
Fixed in selinux-policy-3.3.1-115.fc9

Yum update to this release.


Note You need to log in before you can comment on or make changes to this bug.