Bug 997142 - SELinux is preventing /usr/libexec/accounts-daemon from using the 'net_bind_service' capabilities.
SELinux is preventing /usr/libexec/accounts-daemon from using the 'net_bind_s...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:044e17cfebdc673641b55a814d3...
:
: 989516 1004737 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-14 14:45 EDT by Rex Dieter
Modified: 2013-09-13 22:30 EDT (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-74.3.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-13 22:30:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rex Dieter 2013-08-14 14:45:01 EDT
Description of problem:
logged in to kde-4.11.0 session is all
SELinux is preventing /usr/libexec/accounts-daemon from using the 'net_bind_service' capabilities.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that accounts-daemon should have the net_bind_service capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep accounts-daemon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:system_r:accountsd_t:s0
Target Objects                 [ capability ]
Source                        accounts-daemon
Source Path                   /usr/libexec/accounts-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           accountsservice-0.6.34-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-69.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.10.5-201.fc19.x86_64 #1 SMP Wed
                              Aug 7 16:25:24 UTC 2013 x86_64 x86_64
Alert Count                   34
First Seen                    2013-08-09 08:06:11 CDT
Last Seen                     2013-08-14 13:42:00 CDT
Local ID                      548f9011-9d05-435a-bd8a-a25b46465521

Raw Audit Messages
type=AVC msg=audit(1376505720.840:1323): avc:  denied  { net_bind_service } for  pid=417 comm="accounts-daemon" capability=10  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability


type=SYSCALL msg=audit(1376505720.840:1323): arch=x86_64 syscall=bind success=yes exit=0 a0=b a1=7fff488866c0 a2=10 a3=0 items=0 ppid=1 pid=417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null)

Hash: accounts-daemon,accountsd_t,accountsd_t,capability,net_bind_service

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.5-201.fc19.x86_64
type:           libreport
Comment 1 Rex Dieter 2013-08-15 10:02:04 EDT
Description of problem:
Just logged in to kde session on f19 x86_64 box (with nfs $HOME, if that matters).

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.5-201.fc19.x86_64
type:           libreport
Comment 2 Daniel Walsh 2013-08-15 14:21:46 EDT
Any idea why accountsd would be binding to a port < 1024
Comment 3 Rex Dieter 2013-08-15 14:30:14 EDT
honestly no, accountsservice is still largely a black box (with a neato dbus interface) to me.  I'll try to ask around and find out though.
Comment 4 Rex Dieter 2013-08-15 14:42:15 EDT
For what it's worth, it must be temporary (on startup?)... just checked with lsof, and it's currently not listening.
Comment 5 Marco Nolden 2013-09-05 07:44:07 EDT
Description of problem:
See bug 989516

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.10-200.fc19.x86_64
type:           libreport
Comment 6 Daniel Walsh 2013-09-05 09:26:43 EDT
Are you running with NIS?
Comment 7 Rex Dieter 2013-09-05 10:21:31 EDT
Yes, I am running with NIS.
Comment 8 Marco Nolden 2013-09-05 11:12:21 EDT
(In reply to Daniel Walsh from comment #6)
> Are you running with NIS?

Yes, I'm also running NIS.
Comment 9 Daniel Walsh 2013-09-05 11:48:22 EDT
It looks like nis or glibc must have changed to allow priv apps to bind to ports < 1024 fairly recently.  I added a dontaudit for this in git.

a13733d1b028ec3ca4db41d3468b486113c7da5b, nis should continue to attempt to bind to random ports until it gets one > 1024.
Comment 10 Daniel Walsh 2013-09-05 11:49:46 EDT
*** Bug 1004737 has been marked as a duplicate of this bug. ***
Comment 11 Daniel Walsh 2013-09-05 11:50:25 EDT
Reassigning to ypbind package to see if they know anything.
Comment 12 Daniel Walsh 2013-09-05 11:51:22 EDT
Rex do you know about anything that might have changed to cause this?
Comment 13 Honza Horak 2013-09-09 07:34:24 EDT
(In reply to Daniel Walsh from comment #11)
> Reassigning to ypbind package to see if they know anything.

Well, we did nothing serious in NIS packages (ypserv, ypbind, yp-tools) that could influence SELinux access for couple of months. I also don't understand how did you come to ypbind to cause this problem, since I don't probably understand enough what's happening in accounts-daemon that could be related to NIS. Could anybody explain to me the connection of accounts-daemon and ypbind, please?

What I noticed only are some NIS-related changes in selinux-policy, so maybe that could help:

* Fri Sep 06 2013 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-74.2
- Dontaudit attempts to bind to ports < 1024 when nis is turned on
* Thu Aug 08 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-70
- Make NFS home, NIS authentication and dbus-daemon working
* Tue Mar 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-24
- Allow yppasswdd to use NIS
* Wed Jan 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-6
- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on
* Wed Jan 16 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-5
- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on
Comment 14 Daniel Walsh 2013-09-09 08:16:31 EDT
Ok I think we will just don't audit for now and see if there are other problems.

Fixed in 3.12.1-74.2
Comment 15 Honza Horak 2013-09-09 11:15:45 EDT
OK. Changing the component as well so it corresponds with the actual fix made.
Comment 16 Miroslav Grepl 2013-09-09 12:06:03 EDT
*** Bug 989516 has been marked as a duplicate of this bug. ***
Comment 17 Fedora Update System 2013-09-12 05:09:22 EDT
selinux-policy-3.12.1-74.3.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.3.fc19
Comment 18 Fedora Update System 2013-09-12 20:58:33 EDT
Package selinux-policy-3.12.1-74.3.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.3.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16580/selinux-policy-3.12.1-74.3.fc19
then log in and leave karma (feedback).
Comment 19 Fedora Update System 2013-09-13 22:30:31 EDT
selinux-policy-3.12.1-74.3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.