Bug 477020 - selinux prevents the rpcbind service from starting
selinux prevents the rpcbind service from starting
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
x86_64 Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2008-12-18 12:55 EST by Jeroen Beerstra
Modified: 2008-12-18 14:34 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-12-18 14:34:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jeroen Beerstra 2008-12-18 12:55:17 EST
Description of problem:

Selinux prevents the rpcbind service from starting and because of this nfs doesn't work.

Version-Release number of selected component (if applicable):


How reproducible:

Boot an up2date F9

Steps to Reproduce:
1. Boot
2. rpcbind causes an AVC
3. nfs doesn't start completely and because of this you are unable to mount nfs volumes 
Actual results:

Nfs does not work

Expected results:

All related services should start as they did before

Additional info:

With SELinux in permissive mode, after restarting the rpcbind and nfs services, mounting nfs volumes works as expected.


SELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t.

Gedetailleerde omschrijving:

SELinux denied access requested by rpcbind. It is not expected that this access
is required by rpcbind and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additionele informatie:

Source Context                unconfined_u:system_r:rpcbind_t:s0
Target Context                unconfined_u:system_r:rpcbind_t:s0
Target Objects                None [ capability ]
Bron                          rpcbind
Source Path                   /sbin/rpcbind
Poort                         <Onbekend>
Host                          morphius.lokaal.net
Source RPM Packages           rpcbind-0.1.7-1.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-111.fc9
SELinux aangezet              True
Policy Type                   targeted
MLS aangezet                  True
Enforcing Mode                Enforcing
Pluginnaam                    catchall
Hostnaam                      morphius.lokaal.net
Platform                      Linux morphius.lokaal.net
                              #1 SMP Thu Nov 27 02:05:02 EST 2008 x86_64 x86_64
Aantal waarschuwingen         6
Eerst gezien op               za 13 dec 2008 20:50:16 CET
Laatst gezien op              do 18 dec 2008 18:42:21 CET
Local ID                      66dbb0f8-16b7-4236-9097-4773acff4d99

Raw Audit Messages            

node=morphius.lokaal.net type=AVC msg=audit(1229622141.655:68): avc:  denied  { setgid } for  pid=12192 comm="rpcbind" capability=6 scontext=unconfined_u:system_r:rpcbind_t:s0 tcontext=unconfined_u:system_r:rpcbind_t:s0 tclass=capability

node=morphius.lokaal.net type=SYSCALL msg=audit(1229622141.655:68): arch=c000003e syscall=106 success=no exit=-1 a0=20 a1=20 a2=1 a3=7f62d3e456f0 items=0 ppid=1 pid=12192 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="rpcbind" exe="/sbin/rpcbind" subj=unconfined_u:system_r:rpcbind_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-12-18 14:34:20 EST
Fixed in selinux-policy-3.3.1-115.fc9

Yum update to this release.

Note You need to log in before you can comment on or make changes to this bug.