Bug 738628 - avc denial 'sys_rawio' for rpc.mountd
Summary: avc denial 'sys_rawio' for rpc.mountd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
: 798764 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-15 12:22 UTC by Karel Volný
Modified: 2012-06-20 12:24 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.7.19-139.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 12:24:44 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0780 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2012-06-19 20:34:59 UTC

Description Karel Volný 2011-09-15 12:22:28 UTC
Description of problem:
Running the test /CoreOS/quota/Regression/bz515697-too-many-mountpoints we are sometimes getting avc denials for rpc.mountd - not sure if this is problem of selinux policy or nfs-utils itself.

Version-Release number of selected component (if applicable):
nfs-utils-1.2.3-8.el6.i686
selinux-policy-3.7.19-110.el6.noarch

How reproducible:
sometimes

Steps to Reproduce:
1. schedule the test /CoreOS/quota/Regression/bz515697-too-many-mountpoints in Beaker
  
Actual results:
time->Tue Sep 13 08:37:47 2011
type=SYSCALL msg=audit(1315917467.083:297024): arch=c000003e syscall=16 success=no exit=-25 a0=16 a1=5331 a2=0 a3=7fff1000ce40 items=0 ppid=1 pid=5517 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(1315917467.083:297024): avc:  denied  { sys_rawio } for  pid=5517 comm="rpc.mountd" capability=17  scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=unconfined_u:system_r:nfsd_t:s0 tclass=capability
Fail: AVC messages found.


Expected results:
no denials

Additional info:
see
http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2011/09/1310/131079/271491/2972907/15668739//test_log-Setup-avc.log
http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2011/09/1310/131079/271491/2972907/15668739//test_log-Setup-avc.log

Comment 3 Steve Dickson 2011-09-27 17:54:53 UTC
This appears to be an selinux policy problem... Reassigning

Comment 4 Daniel Walsh 2011-09-27 18:39:10 UTC
Steve are you saying that nfsd needs sys_rawio?

/* Allow ioperm/iopl access */
/* Allow sending USB messages to any device via /proc/bus/usb */

#define CAP_SYS_RAWIO        17

Comment 5 Eric Paris 2011-09-28 14:32:50 UTC
I'm having a hard time tracking down what ioctl 0x5331 is, which apparently the rpc code called to trigger this.

Comment 6 RHEL Product and Program Management 2011-10-07 16:05:39 UTC
Since RHEL 6.2 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

Comment 8 Steve Dickson 2011-12-14 12:57:27 UTC
(In reply to comment #4)
> Steve are you saying that nfsd needs sys_rawio?
> 
> /* Allow ioperm/iopl access */
> /* Allow sending USB messages to any device via /proc/bus/usb */
> 
> #define CAP_SYS_RAWIO        17
Its not clear what is going going... 

mountd does access things under /proc/net/rpc and /proc/fs/ and /var/lib/nfs/
for upcalls from the kernel, but other than that I can not see why
sys_rawio would be needed...

Comment 9 Daniel Walsh 2011-12-14 15:13:24 UTC
I guess we can add a dontaudit rule.

Comment 14 Miroslav Grepl 2012-02-28 15:57:33 UTC
fs_getattr_all_fs(rpcd_t) is needed.

Milos,
were you testing it with disabled unconfined module?

Comment 15 Milos Malik 2012-02-28 16:06:29 UTC
No, unconfined module was enabled at that time.

Comment 16 Scott Poore 2012-02-29 16:39:44 UTC
I am seeing similar getattr and read AVCs for rpc.mountd.   I also see a mountd one with tclass=dir.

Comment 17 Daniel Walsh 2012-02-29 19:01:39 UTC
Scott attach your AVC's so we can make sure you are seeing the same problem.

Comment 18 Scott Poore 2012-02-29 19:21:27 UTC
Here you go:

----
time->Tue Feb 28 23:35:54 2012
type=SYSCALL msg=audit(1330490154.811:216018): arch=c000003e syscall=262 success=no exit=-13 a0=16 a1=7fd13d8a4243 a2=7fffd750ba50 a3=0 items=0 ppid=1 pid=24782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(1330490154.811:216018): avc:  denied  { getattr } for  pid=24782 comm="rpc.mountd" path="/sbin/MAKEDEV" dev=dm-0 ino=133719 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
----
time->Tue Feb 28 23:35:54 2012
type=SYSCALL msg=audit(1330490154.812:216019): arch=c000003e syscall=2 success=no exit=-13 a0=7fd13d8ac000 a1=90800 a2=7fffd750bb30 a3=13 items=0 ppid=1 pid=24782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(1330490154.812:216019): avc:  denied  { read } for  pid=24782 comm="rpc.mountd" name="/" dev=tmpfs ino=5315 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
----
time->Tue Feb 28 23:35:54 2012
type=SYSCALL msg=audit(1330490154.874:216020): arch=c000003e syscall=262 success=no exit=-13 a0=16 a1=7fd13d8a4ae3 a2=7fffd750a380 a3=0 items=0 ppid=1 pid=24782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(1330490154.874:216020): avc:  denied  { getattr } for  pid=24782 comm="rpc.mountd" path="/sbin/MAKEDEV" dev=dm-0 ino=133719 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
----
time->Tue Feb 28 23:35:54 2012
type=SYSCALL msg=audit(1330490154.874:216021): arch=c000003e syscall=2 success=no exit=-13 a0=7fd13d8a4030 a1=90800 a2=7fffd750a460 a3=13 items=0 ppid=1 pid=24782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(1330490154.874:216021): avc:  denied  { read } for  pid=24782 comm="rpc.mountd" name="/" dev=tmpfs ino=5315 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir

Let me know if you need anything else.

Comment 19 Daniel Walsh 2012-02-29 19:50:53 UTC
Well those are allowed in Fedora.

Comment 20 Scott Poore 2012-03-01 01:10:18 UTC
This was from a 6.3 test build.  Should they be allowed there or is there some other configuration I could use to avoid this?  Or is there a fix already that should make it into the 6.3 release?

Thanks

Comment 21 Miroslav Grepl 2012-03-01 07:22:31 UTC
*** Bug 798764 has been marked as a duplicate of this bug. ***

Comment 22 Miroslav Grepl 2012-03-01 07:54:09 UTC
This relates with removing 

nfs_exports_all_*

booleans. These booleans have been removed because of #760405 bug.



nfs_export_all_ro 

...
...

auth_read_all_dirs_except_shadow(nfsd_t)
auth_read_all_files_except_shadow(nfsd_t)

Looks like we will need to add


files_list_all_mountpoints(nfsd_t)

Comment 27 errata-xmlrpc 2012-06-20 12:24:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html


Note You need to log in before you can comment on or make changes to this bug.