Bug 507868 - SELinux is preventing rpc.statd (rpcd_t) "listen" rpcd_t.
Summary: SELinux is preventing rpc.statd (rpcd_t) "listen" rpcd_t.
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: nfs-utils
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Steve Dickson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-06-24 15:24 UTC by Jerry Amundson
Modified: 2009-07-02 14:41 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-07-02 14:41:34 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Jerry Amundson 2009-06-24 15:24:40 UTC 
Description of problem:
SELinux is preventing rpc.statd (rpcd_t) "listen" rpcd_t.


Version-Release number of selected component (if applicable):
Source RPM Packages           nfs-utils-1.2.0-4.fc12
Policy RPM                    selinux-policy-3.6.15-1.fc12

How reproducible:
once

Steps to Reproduce:
1.observe acl
2.
3.
  
Actual results:
acl 

Expected results:
no acl

Additional info:

Summary:

SELinux is preventing rpc.statd (rpcd_t) "listen" rpcd_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by rpc.statd. It is not expected that this
access is required by rpc.statd and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:rpcd_t:s0
Target Context                unconfined_u:system_r:rpcd_t:s0
Target Objects                None [ udp_socket ]
Source                        rpc.statd
Source Path                   /sbin/rpc.statd
Port                          <Unknown>
Host                          jerry-opti755
Source RPM Packages           nfs-utils-1.2.0-4.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.15-1.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     jerry-opti755
Platform                      Linux jerry-opti755
                              2.6.30-0.1.2.32.rc8.xendom0.fc12.x86_64 #1 SMP Thu
                              Jun 4 17:46:39 EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 24 Jun 2009 09:26:48 AM CDT
Last Seen                     Wed 24 Jun 2009 09:26:48 AM CDT
Local ID                      db6b62c6-9644-4d6b-829a-29201f1ce580
Line Numbers                  

Raw Audit Messages            

node=jerry-opti755 type=AVC msg=audit(1245853608.230:41793): avc:  denied  { listen } for  pid=29164 comm="rpc.statd" lport=51263 scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=unconfined_u:system_r:rpcd_t:s0 tclass=udp_socket

node=jerry-opti755 type=SYSCALL msg=audit(1245853608.230:41793): arch=c000003e syscall=50 success=yes exit=0 a0=7 a1=80 a2=0 a3=7fff90f1cda0 items=0 ppid=29163 pid=29164 auid=2355 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=24 comm="rpc.statd" exe="/sbin/rpc.statd" subj=unconfined_u:system_r:rpcd_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-06-24 21:45:26 UTC 
rpc.statd should not be listening on udp sockets.

I think this is a case of SELinux blocking before the DAC call does.
Comment 2 Jerry Amundson 2009-07-02 14:41:34 UTC 
I'm no longer seeing rpc.statd denials.
Note You need to log in before you can comment on or make changes to this bug.