Comments (13)
simpz
commented on June 9, 2024
Actually a bit more on this, this works fine if you let NFS daemons choose their ports but if try to fix them this breaks.
[lockd]
port=4002
[exportd]
[mountd]
manage-gids=y
port=4003
[nfsdcld]
[nfsdcltrack]
[nfsd]
rdma=n
[statd]
port=4001
[sm-notify]
[svcgssd]
This breaks.
If add these ports to:
semanage port -l | grep nfs
nfs_port_t tcp 4003, 4002, 4001, 2049
nfs_port_t udp 4003, 4002, 4001, 2049
I now get mountd to start but statd is still failing..
Aug 15 16:29:33 debtest rpc.statd[695]: Could not bind socket: (13) Permission denied
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 4003 mountd
100005 1 tcp 4003 mountd
100005 2 udp 4003 mountd
100005 2 tcp 4003 mountd
100005 3 udp 4003 mountd
100005 3 tcp 4003 mountd
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 3 tcp 2049 nfs_acl
100021 1 udp 4002 nlockmgr
100021 3 udp 4002 nlockmgr
100021 4 udp 4002 nlockmgr
100021 1 tcp 4002 nlockmgr
100021 3 tcp 4002 nlockmgr
100021 4 tcp 4002 nlockmgr
from refpolicy.
freedom1b2830
commented on June 9, 2024
Disable dontaudit rules and restart the service:
semanage dontaudit offfrom refpolicy.
simpz
commented on June 9, 2024
Okay audit2allow now says:
#============= rpcd_t ==============
allow rpcd_t nfs_port_t:tcp_socket name_bind;
allow rpcd_t nfs_port_t:udp_socket name_bind;
allow rpcd_t nfsd_fs_t:dir search;
allow rpcd_t nfsd_fs_t:file { open read };
Or the raw log if that's more what you want:
type=AVC msg=audit(1692348946.100:70): avc: denied { name_bind } for pid=687 comm="rpc.statd" src=4001 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:nfs_port_t:s0 tclass=udp_socket permissive=0
type=SYSCALL msg=audit(1692348946.100:70): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=55ac43c8da00 a2=10 a3=7ffdfc06cff0 items=0 ppid=681 pid=687 auid=4294967295 uid=116 gid=65534 euid=116 suid=116 fsuid=116 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)ARCH=x86_64 SYSCALL=bind AUID="unset" UID="statd" GID="nogroup" EUID="statd" SUID="statd" FSUID="statd" EGID="nogroup" SGID="nogroup" FSGID="nogroup"
type=PROCTITLE msg=audit(1692348946.100:70): proctitle="/sbin/rpc.statd"
type=AVC msg=audit(1692348946.100:71): avc: denied { name_bind } for pid=687 comm="rpc.statd" src=4001 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:nfs_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1692348946.100:71): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=55ac43c8da00 a2=10 a3=7ffdfc06cff0 items=0 ppid=681 pid=687 auid=4294967295 uid=116 gid=65534 euid=116 suid=116 fsuid=116 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)ARCH=x86_64 SYSCALL=bind AUID="unset" UID="statd" GID="nogroup" EUID="statd" SUID="statd" FSUID="statd" EGID="nogroup" SGID="nogroup" FSGID="nogroup"
type=PROCTITLE msg=audit(1692348946.100:71): proctitle="/sbin/rpc.statd"
type=AVC msg=audit(1692348946.100:72): avc: denied { name_bind } for pid=687 comm="rpc.statd" src=4001 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:nfs_port_t:s0 tclass=udp_socket permissive=0
type=SYSCALL msg=audit(1692348946.100:72): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=55ac43c8f080 a2=1c a3=7ffdfc06cff0 items=0 ppid=681 pid=687 auid=4294967295 uid=116 gid=65534 euid=116 suid=116 fsuid=116 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)ARCH=x86_64 SYSCALL=bind AUID="unset" UID="statd" GID="nogroup" EUID="statd" SUID="statd" FSUID="statd" EGID="nogroup" SGID="nogroup" FSGID="nogroup"
type=PROCTITLE msg=audit(1692348946.100:72): proctitle="/sbin/rpc.statd"
type=AVC msg=audit(1692348946.100:73): avc: denied { name_bind } for pid=687 comm="rpc.statd" src=4001 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:nfs_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1692348946.100:73): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=55ac43c8f080 a2=1c a3=7ffdfc06cff0 items=0 ppid=681 pid=687 auid=4294967295 uid=116 gid=65534 euid=116 suid=116 fsuid=116 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)ARCH=x86_64 SYSCALL=bind AUID="unset" UID="statd" GID="nogroup" EUID="statd" SUID="statd" FSUID="statd" EGID="nogroup" SGID="nogroup" FSGID="nogroup"
type=PROCTITLE msg=audit(1692348946.100:73): proctitle="/sbin/rpc.statd"
type=SERVICE_START msg=audit(1692348946.100:74): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpc-statd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1692348946.184:85): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpc-statd-notify comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
from refpolicy.
github-actions
commented on June 9, 2024
This issue has not had any recent activity. It will be closed in 7 days if it makes no further progress.
from refpolicy.
simpz
commented on June 9, 2024
I guess still not fixed so should stay open ?
from refpolicy.
pebenito
commented on June 9, 2024
You would need to add the rules to your policy to allow the access, as suggeested by your audit2allow output.
allow rpcd_t nfs_port_t:tcp_socket name_bind;
allow rpcd_t nfs_port_t:udp_socket name_bind;
from refpolicy.
simpz
commented on June 9, 2024
I can make it work with various rules applied via audit2allow, sure.
But shouldn't statd SELinux policies respect these,
semanage port -l | grep nfs
nfs_port_t tcp 4003, 4002, 4001, 2049
nfs_port_t udp 4003, 4002, 4001, 2049
, as mountd and lockd already do?
This is true on RHEL based SELinux implementations.
from refpolicy.
pebenito
commented on June 9, 2024
I can't speak to the RHEL policy, but I don't see this access in the Fedora policy.
from refpolicy.
simpz
commented on June 9, 2024
On a Fedora 39, I can just set the ports for statd, lockd and mountd in:
/etc/nfs.conf and /etc/modprobe.d/lockd.conf
And this just works with SELinux, no setting nfs_port_t's or anything.
Not sure why this is so different on the Fedora targetted policy i.e. nothing to set.
from refpolicy.
github-actions
commented on June 9, 2024
This issue has not had any recent activity. It will be closed in 7 days if it makes no further progress.
from refpolicy.
simpz
commented on June 9, 2024
This is still and issue, seems strange to auto close bugs with no fix.
from refpolicy.
Related Issues (20)
- Fail to build with POLICY_TYPE MLS HOT 1
- Fail to build policy fapolicyd if DIRECT_INITRC=y HOT 3
- Q:java based application HOT 5
- Problem when building policy HOT 3
- libsepol.validate_user_datum: Invalid user datum HOT 4
- How to write modules for systemd user services? HOT 7
- libsepol.sepol_string_to_security_class: unrecognized class user_namespace HOT 4
- chrome->nacl_helper: user_namespace HOT 2
- 2 questions HOT 1
- Need help with transitions HOT 1
- Container issues in enforcing mode on Debian 12 HOT 13
- How to transfer the current process or its thread to another context? HOT 4
- Possible missing rule for ssh -> java HOT 2
- Question: sudo HOT 5
- [Q] Permission cmd in class io_uring not defined in policy. HOT 3
- /root directory has no label specified HOT 4
- systemd v255 executor helper
- Information Disclosure vulnerability related to SSL Private Keys and CSR used by the HTTP daemon HOT 2
- Privileged container spc_t optional HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from refpolicy.