Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Debian 12.1 statd and mountd fail to start with fixed ports #629

Closed
simpz opened this issue Aug 15, 2023 · 13 comments
Closed

Debian 12.1 statd and mountd fail to start with fixed ports #629

simpz opened this issue Aug 15, 2023 · 13 comments

Comments

@simpz
Copy link

simpz commented Aug 15, 2023

When I have SELinux enforcing on
Aug 15 12:31:34 deb12 rpc.statd[811]: Version 2.6.2 starting
Aug 15 12:31:34 deb12 rpc.statd[811]: Flags: TI-RPC
Aug 15 12:31:34 deb12 rpc.statd[811]: Could not bind socket: (13) Permission denied
Aug 15 12:31:34 deb12 rpc.statd[811]: Could not bind socket: (13) Permission denied
Aug 15 12:31:34 deb12 rpc.statd[811]: Could not bind socket: (13) Permission denied
Aug 15 12:31:34 deb12 rpc.statd[811]: Could not bind socket: (13) Permission denied
Aug 15 12:31:34 deb12 rpc.statd[811]: failed to create RPC listeners, exiting
.
.
Aug 15 12:31:34 deb12 systemd[1]: rpc-statd.service: Control process exited, code=exited, status=1/FAILURE
Aug 15 12:31:23 deb12 systemd[1]: Mounted run-rpc_pipefs.mount - RPC Pipe File System.
Aug 15 12:31:24 deb12 systemd[1]: Starting nfs-mountd.service - NFS Mount Daemon...
Aug 15 12:31:24 deb12 rpc.mountd[758]: Could not bind socket: (13) Permission denied
Aug 15 12:31:24 deb12 rpc.mountd[758]: Could not bind socket: (13) Permission denied
.
Aug 15 12:31:24 deb12 rpc.mountd[758]: mountd: No V2 or V3 listeners created!
Aug 15 12:31:24 deb12 rpc.mountd[760]: Version 2.6.2 starting
Aug 15 12:31:24 deb12 systemd[1]: Started nfs-mountd.service - NFS Mount Daemon.

audit2allow reports nothing.

I maybe missing something, I have only ever used RHEL like systems and not tried Debian SELinux before (or Debian for years TBH).

I seem to have:
selinux-policy-default/stable,now 2:2.20221101-9 all [installed]

But I did see it saying that it was updating the policy when I installed SELinux, not sure if that it out-with the package manager?

And have applied:
setsebool -P nfs_export_all_rw 1
@simpz
Copy link
Author

simpz commented Aug 15, 2023

Actually a bit more on this, this works fine if you let NFS daemons choose their ports but if try to fix them this breaks.

[lockd]
port=4002
[exportd]
[mountd]
manage-gids=y
port=4003
[nfsdcld]
[nfsdcltrack]
[nfsd]
rdma=n

[statd]
port=4001
[sm-notify]
[svcgssd]

This breaks.
If add these ports to:

semanage  port -l | grep nfs
nfs_port_t                     tcp      4003, 4002, 4001, 2049
nfs_port_t                     udp      4003, 4002, 4001, 2049

I now get mountd to start but statd is still failing..

Aug 15 16:29:33 debtest rpc.statd[695]: Could not bind socket: (13) Permission denied

 program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100005    1   udp   4003  mountd
    100005    1   tcp   4003  mountd
    100005    2   udp   4003  mountd
    100005    2   tcp   4003  mountd
    100005    3   udp   4003  mountd
    100005    3   tcp   4003  mountd
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049  nfs_acl
    100021    1   udp   4002  nlockmgr
    100021    3   udp   4002  nlockmgr
    100021    4   udp   4002  nlockmgr
    100021    1   tcp   4002  nlockmgr
    100021    3   tcp   4002  nlockmgr
    100021    4   tcp   4002  nlockmgr

@simpz simpz changed the title Debian 12.1 statd and mountd fail to start Debian 12.1 statd and mountd fail to start with fixed ports Aug 15, 2023
@freedom1b2830
Copy link
Contributor

Disable dontaudit rules and restart the service:

semanage dontaudit off

@simpz
Copy link
Author

simpz commented Aug 18, 2023

Okay audit2allow now says:

#============= rpcd_t ==============
allow rpcd_t nfs_port_t:tcp_socket name_bind;
allow rpcd_t nfs_port_t:udp_socket name_bind;
allow rpcd_t nfsd_fs_t:dir search;
allow rpcd_t nfsd_fs_t:file { open read };

Or the raw log if that's more what you want:

type=AVC msg=audit(1692348946.100:70): avc:  denied  { name_bind } for  pid=687 comm="rpc.statd" src=4001 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:nfs_port_t:s0 tclass=udp_socket permissive=0
type=SYSCALL msg=audit(1692348946.100:70): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=55ac43c8da00 a2=10 a3=7ffdfc06cff0 items=0 ppid=681 pid=687 auid=4294967295 uid=116 gid=65534 euid=116 suid=116 fsuid=116 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)ARCH=x86_64 SYSCALL=bind AUID="unset" UID="statd" GID="nogroup" EUID="statd" SUID="statd" FSUID="statd" EGID="nogroup" SGID="nogroup" FSGID="nogroup"
type=PROCTITLE msg=audit(1692348946.100:70): proctitle="/sbin/rpc.statd"
type=AVC msg=audit(1692348946.100:71): avc:  denied  { name_bind } for  pid=687 comm="rpc.statd" src=4001 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:nfs_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1692348946.100:71): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=55ac43c8da00 a2=10 a3=7ffdfc06cff0 items=0 ppid=681 pid=687 auid=4294967295 uid=116 gid=65534 euid=116 suid=116 fsuid=116 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)ARCH=x86_64 SYSCALL=bind AUID="unset" UID="statd" GID="nogroup" EUID="statd" SUID="statd" FSUID="statd" EGID="nogroup" SGID="nogroup" FSGID="nogroup"
type=PROCTITLE msg=audit(1692348946.100:71): proctitle="/sbin/rpc.statd"
type=AVC msg=audit(1692348946.100:72): avc:  denied  { name_bind } for  pid=687 comm="rpc.statd" src=4001 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:nfs_port_t:s0 tclass=udp_socket permissive=0
type=SYSCALL msg=audit(1692348946.100:72): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=55ac43c8f080 a2=1c a3=7ffdfc06cff0 items=0 ppid=681 pid=687 auid=4294967295 uid=116 gid=65534 euid=116 suid=116 fsuid=116 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)ARCH=x86_64 SYSCALL=bind AUID="unset" UID="statd" GID="nogroup" EUID="statd" SUID="statd" FSUID="statd" EGID="nogroup" SGID="nogroup" FSGID="nogroup"
type=PROCTITLE msg=audit(1692348946.100:72): proctitle="/sbin/rpc.statd"
type=AVC msg=audit(1692348946.100:73): avc:  denied  { name_bind } for  pid=687 comm="rpc.statd" src=4001 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:nfs_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1692348946.100:73): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=55ac43c8f080 a2=1c a3=7ffdfc06cff0 items=0 ppid=681 pid=687 auid=4294967295 uid=116 gid=65534 euid=116 suid=116 fsuid=116 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)ARCH=x86_64 SYSCALL=bind AUID="unset" UID="statd" GID="nogroup" EUID="statd" SUID="statd" FSUID="statd" EGID="nogroup" SGID="nogroup" FSGID="nogroup"
type=PROCTITLE msg=audit(1692348946.100:73): proctitle="/sbin/rpc.statd"
type=SERVICE_START msg=audit(1692348946.100:74): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpc-statd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1692348946.184:85): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpc-statd-notify comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"

@github-actions
Copy link

This issue has not had any recent activity. It will be closed in 7 days if it makes no further progress.

@github-actions github-actions bot added the stale Issue/PR has not had any recent activity. label Oct 18, 2023
@simpz
Copy link
Author

simpz commented Oct 18, 2023

I guess still not fixed so should stay open ?

@github-actions github-actions bot removed the stale Issue/PR has not had any recent activity. label Oct 19, 2023
@pebenito
Copy link
Member

You would need to add the rules to your policy to allow the access, as suggeested by your audit2allow output.

allow rpcd_t nfs_port_t:tcp_socket name_bind;
allow rpcd_t nfs_port_t:udp_socket name_bind;

@simpz
Copy link
Author

simpz commented Nov 29, 2023

I can make it work with various rules applied via audit2allow, sure.

But shouldn't statd SELinux policies respect these,

semanage  port -l | grep nfs
nfs_port_t                     tcp      4003, 4002, 4001, 2049
nfs_port_t                     udp      4003, 4002, 4001, 2049

, as mountd and lockd already do?

This is true on RHEL based SELinux implementations.

@pebenito
Copy link
Member

pebenito commented Dec 4, 2023

I can't speak to the RHEL policy, but I don't see this access in the Fedora policy.

@simpz
Copy link
Author

simpz commented Dec 4, 2023

On a Fedora 39, I can just set the ports for statd, lockd and mountd in:
/etc/nfs.conf and /etc/modprobe.d/lockd.conf

And this just works with SELinux, no setting nfs_port_t's or anything.
Not sure why this is so different on the Fedora targetted policy i.e. nothing to set.

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 3, 2024

This issue has not had any recent activity. It will be closed in 7 days if it makes no further progress.

@github-actions github-actions bot added the stale Issue/PR has not had any recent activity. label Feb 3, 2024
@simpz
Copy link
Author

simpz commented Feb 4, 2024

This is still and issue, seems strange to auto close bugs with no fix.

@github-actions github-actions bot removed the stale Issue/PR has not had any recent activity. label Feb 5, 2024
@pebenito
Copy link
Member

Not sure why this is so different on the Fedora targetted policy i.e. nothing to set.

refpolicy starts from a more secure state. Adding rules is much easier than removing rules.

@simpz
Copy link
Author

simpz commented Feb 22, 2024

As I previously said, even if the refpolicy is more secure, shouldn't statd SELinux policies respect these,

semanage  port -l | grep nfs
nfs_port_t                     tcp      4003, 4002, 4001, 2049
nfs_port_t                     udp      4003, 4002, 4001, 2049

, as mountd and lockd already do?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pebenito @simpz @freedom1b2830