Bug 507868 - SELinux is preventing rpc.statd (rpcd_t) "listen" rpcd_t.
SELinux is preventing rpc.statd (rpcd_t) "listen" rpcd_t.
Product: Fedora
Classification: Fedora
Component: nfs-utils (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Steve Dickson
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-06-24 11:24 EDT by Jerry Amundson
Modified: 2009-07-02 10:41 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-02 10:41:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jerry Amundson 2009-06-24 11:24:40 EDT
Description of problem:
SELinux is preventing rpc.statd (rpcd_t) "listen" rpcd_t.

Version-Release number of selected component (if applicable):
Source RPM Packages           nfs-utils-1.2.0-4.fc12
Policy RPM                    selinux-policy-3.6.15-1.fc12

How reproducible:

Steps to Reproduce:
1.observe acl
Actual results:

Expected results:
no acl

Additional info:


SELinux is preventing rpc.statd (rpcd_t) "listen" rpcd_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by rpc.statd. It is not expected that this
access is required by rpc.statd and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:rpcd_t:s0
Target Context                unconfined_u:system_r:rpcd_t:s0
Target Objects                None [ udp_socket ]
Source                        rpc.statd
Source Path                   /sbin/rpc.statd
Port                          <Unknown>
Host                          jerry-opti755
Source RPM Packages           nfs-utils-1.2.0-4.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.15-1.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     jerry-opti755
Platform                      Linux jerry-opti755
                              2.6.30- #1 SMP Thu
                              Jun 4 17:46:39 EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 24 Jun 2009 09:26:48 AM CDT
Last Seen                     Wed 24 Jun 2009 09:26:48 AM CDT
Local ID                      db6b62c6-9644-4d6b-829a-29201f1ce580
Line Numbers                  

Raw Audit Messages            

node=jerry-opti755 type=AVC msg=audit(1245853608.230:41793): avc:  denied  { listen } for  pid=29164 comm="rpc.statd" lport=51263 scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=unconfined_u:system_r:rpcd_t:s0 tclass=udp_socket

node=jerry-opti755 type=SYSCALL msg=audit(1245853608.230:41793): arch=c000003e syscall=50 success=yes exit=0 a0=7 a1=80 a2=0 a3=7fff90f1cda0 items=0 ppid=29163 pid=29164 auid=2355 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=24 comm="rpc.statd" exe="/sbin/rpc.statd" subj=unconfined_u:system_r:rpcd_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-06-24 17:45:26 EDT
rpc.statd should not be listening on udp sockets.

I think this is a case of SELinux blocking before the DAC call does.
Comment 2 Jerry Amundson 2009-07-02 10:41:34 EDT
I'm no longer seeing rpc.statd denials.

Note You need to log in before you can comment on or make changes to this bug.