Bug 867415 - SELinux is not letting rpcbind access /etc/passwd
Summary: SELinux is not letting rpcbind access /etc/passwd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-17 13:19 UTC by Steve Dickson
Modified: 2012-12-20 15:56 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-20 15:56:19 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
audit log (2.69 MB, text/x-log)
2012-10-17 13:22 UTC, Steve Dickson 		no flags Details
View All

Description Steve Dickson 2012-10-17 13:19:41 UTC 
Description of problem:
SELlinux is not letting rpcbind access /etc/passwd. 

Oct 17 09:11:32 f18 rpcbind: cannot get uid of 'rpc': Permission denied
Oct 17 09:11:32 f18 systemd[1]: rpcbind.service: main process exited, code=exited, status=1
Oct 17 09:11:32 f18 systemd[1]: Unit rpcbind.service entered failed state.
Oct 17 09:11:32 f18 setroubleshoot: SELinux is preventing rpcbind from read access on the file /etc/passwd. For complete SELinux messages. run sealert -l e6d2d369-5ac1-46e8-89f9-ab483923d21e


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.11.1-18.fc18.noarch
selinux-policy-3.11.1-18.fc18.noarch
rpcbind-0.2.0-18.fc18

How reproducible:
100%

Steps to Reproduce:
1. service rpcbind start
2.
3.
Comment 1 Steve Dickson 2012-10-17 13:20:09 UTC 
sealert -l e6d2d369-5ac1-46e8-89f9-ab483923d21e
SELinux is preventing rpcbind from read access on the file /etc/passwd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that rpcbind should be allowed read access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep rpcbind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:rpcbind_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/passwd [ file ]
Source                        rpcbind
Source Path                   rpcbind
Port                          <Unknown>
Host                          f18.boston.devel.redhat.com
Source RPM Packages           rpcbind-0.2.0-18.fc18.x86_64
Target RPM Packages           setup-2.8.57-1.fc18.noarch
Policy RPM                    selinux-policy-3.11.1-18.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     f18.boston.devel.redhat.com
Platform                      Linux f18.boston.devel.redhat.com
                              3.6.0-0.rc2.git2.1.fc18.x86_64 #1 SMP Wed Aug 22
                              11:54:04 UTC 2012 x86_64 x86_64
Alert Count                   2
First Seen                    2012-10-17 09:10:47 EDT
Last Seen                     2012-10-17 09:11:31 EDT
Local ID                      e6d2d369-5ac1-46e8-89f9-ab483923d21e

Raw Audit Messages
type=AVC msg=audit(1350479491.941:46): avc:  denied  { read } for  pid=878 comm="rpcbind" name="passwd" dev="dm-1" ino=133305 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1350479491.941:46): arch=x86_64 syscall=open success=no exit=EACCES a0=7effb960d6ea a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rpcbind exe=/usr/sbin/rpcbind subj=system_u:system_r:rpcbind_t:s0 key=(null)

Hash: rpcbind,rpcbind_t,passwd_file_t,file,read

audit2allow

#============= rpcbind_t ==============
allow rpcbind_t passwd_file_t:file read;

audit2allow -R

#============= rpcbind_t ==============
allow rpcbind_t passwd_file_t:file read;
Comment 2 Steve Dickson 2012-10-17 13:22:00 UTC 
Created attachment 628802 [details]
audit log
Comment 3 Steve Dickson 2012-10-17 13:39:11 UTC 
Selinux is also not allowing rpcbind access to its registration files

Oct 17 09:25:48 f18 rpcbind: cannot save any registration
Oct 17 09:33:59 f18 rpcbind: Cannot open '/var/lib/rpcbind/rpcbind.xdr' file for reading, errno 13 (Permission denied)
Oct 17 09:34:00 f18 rpcbind: Cannot open '/var/lib/rpcbind/portmap.xdr' file for reading, errno 13 (Permission denied)
Comment 4 Miroslav Grepl 2012-10-17 13:57:17 UTC 
Fixed in selinux-policy-3.11.1-40.fc18.noarch
Comment 5 Fedora Update System 2012-10-23 20:35:43 UTC 
selinux-policy-3.11.1-43.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-43.fc18
Comment 6 Fedora Update System 2012-10-26 15:38:39 UTC 
selinux-policy-3.11.1-46.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-46.fc18
Comment 7 Fedora Update System 2012-10-26 19:28:16 UTC 
Package selinux-policy-3.11.1-46.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-46.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16862/selinux-policy-3.11.1-46.fc18
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2012-12-20 15:56:22 UTC 
selinux-policy-3.11.1-46.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.