Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 451805 - RHEL5.2 |SELINUX: Restarting portmap service shows "not registered portmapper" message
Summary: RHEL5.2 |SELINUX: Restarting portmap service shows "not registered portmapper...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.2
Hardware: x86_64
OS: Linux
low
urgent
Target Milestone: rc
: ---
Assignee: Steve Dickson
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-17 14:22 UTC by manoj
Modified: 2014-01-24 13:23 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-20 21:32:31 UTC
Target Upstream Version:


Attachments (Terms of Use)
output of /CoreOS/selinux-policy/bugzillas/451805 test (deleted)
2008-10-03 14:19 UTC, Milos Malik
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:0163 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2009-01-20 16:05:21 UTC

Description manoj 2008-06-17 14:22:40 UTC
Steps to Reproduce:
1.Install RHEL5u2 OS with SELinux enforced in enforcing mode.
2.Boot the system.
3.Restart portmap service /etc/init.d/portmap restart

[root@lifo ~]# /etc/init.d/portmap restart
Stopping portmap:                                          [  OK  ]
Starting portmap:                                          [  OK  ]
not registered:     100000    2   tcp    111  portmapper
not registered:     100000    2   udp    111  portmapper

tail -f /var/log/messages o/p given below

Jun 17 19:28:20 lifo portmap[11495]: connect from 127.0.0.1 to set(portmapper):
request from unprivileged port
Jun 17 19:48:46 lifo portmap[11610]: connect from 127.0.0.1 to set(portmapper):
request from unprivileged port
Jun 17 19:48:46 lifo portmap[11611]: connect from 127.0.0.1 to set(portmapper):
request from unprivileged port



Additional info:When i change to permissive mode of SELinux using setenforce 0
and then i restart Portmap there is no issue as given below
[root@lifo ~]# /etc/init.d/portmap restart
Stopping portmap:                                          [  OK  ]
Starting portmap:                                          [  OK  ]

Comment 1 Steve Dickson 2008-06-24 11:13:35 UTC
Dan,

Has there been any recent fixes to the SELinux policies 
that would address this problem?

Comment 2 Daniel Walsh 2008-06-24 11:20:03 UTC
What AVC's are you seeing?

grep avc /var/log/audit/audit.log or /var/log/messages

Comment 3 manoj 2008-06-24 11:29:10 UTC
I couldn't see any AVC messages and SELinux Troubleshoot Alerts while testing
this scenario.I have pasted /var/log/messages content in my previous comment.
Thanks.

Comment 4 Daniel Walsh 2008-06-25 10:58:38 UTC
Does portmapper work?  Even with generating these errors?

SELinux policy for portmap has

# portmap binds to arbitary ports
corenet_tcp_bind_generic_port(portmap_t)
corenet_udp_bind_generic_port(portmap_t)
corenet_tcp_bind_reserved_port(portmap_t)
corenet_udp_bind_reserved_port(portmap_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
corenet_dontaudit_udp_bind_all_reserved_ports(portmap_t)

This says that SELinux is allowing portmap to bind to all ports that do not have
a defined port.  SELinux maps types/labels to lots of ports.  Any with a label
portmapper will not be allowed to bind, and then will get a different one.
The attempt will be dontaudited.  If you execute 

# semanage port -l

you will see the list of defined ports.

portmap then complains about the ports it is not allowed to bind.  But it should
continue to try to find a port.


Comment 5 Sudhir Menon 2008-06-25 12:19:33 UTC
I could see the portmap service running.

rpc  13061   1   0   17:23   ?   00:00:00  portmap <--- ps -ef | grep portmap

But when i try to mount the share from the client it gives the below error

showmount -e 10.1.4.32  (10.1.4.32 is the NFS Server)
mount clntudp_create: RPC: Program not registered.

mount 10.1.4.32:/home/share1  /test1 
mount: mount to NFS Server '10.1.4.32' failed: RPC Error: Program not registered.

Comment 6 Sudhir Menon 2008-06-25 12:50:24 UTC
# semanage port -l | grep 111 gives the below output

portmap_port_t                 tcp      111
portmap_port_t                 udp      111
ricci_port_t                   tcp      11111
ricci_port_t                   udp      11111


Comment 7 Daniel Walsh 2008-06-30 21:16:12 UTC
Try turning off dontaudit rules
# semodule -i /usr/share/selinux/targeted/enableaudit.pp
# service portmap restart
Look for avc messages
Turn back on dontaudit rules.
# semodule -i /usr/share/selinux/targeted/base.pp

Comment 8 Sudhir Menon 2008-07-02 05:27:37 UTC
# semodule -i /usr/share/selinux/targeted/enableaudit.pp 

Even after executing the above command with(SElinux=enforcing) and restarting
portmap service there are no avc messages displayed in the /var/log/messages
file or /var/log/audit/audit.log file.

But executing the same command gives the below output on the console.

# semodule -i /usr/share/selinux/targeted/enableaudit.pp

libsemanage.parse_module_headers: Received a base module, expected a non-base
module.
semodule:  Failed on /usr/share/selinux/targeted/enableaudit.pp!

Similarly for this command also

#semodule -i /usr/share/selinux/targeted/base.pp
libsemanage.parse_module_headers: Received a base module, expected a non-base
module.
semodule:  Failed on /usr/share/selinux/targeted/base.pp!



Comment 9 Daniel Walsh 2008-07-02 13:56:34 UTC
Sorry should have been -b

Try turning off dontaudit rules
# semodule -b /usr/share/selinux/targeted/enableaudit.pp
# service portmap restart
Look for avc messages
Turn back on dontaudit rules.
# semodule -b /usr/share/selinux/targeted/base.pp

Comment 10 manoj 2008-07-03 06:40:00 UTC
[root@lifo ~]# tail -f /var/log/audit/audit.log 
type=AVC msg=audit(1215066907.602:50): avc:  denied  { name_bind } for 
pid=11411 comm="portmap" src=987 scontext=root:system_r:portmap_t:s0
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket

type=SYSCALL msg=audit(1215066907.602:50): arch=c000003e syscall=49 success=no
exit=-13 a0=3 a1=7fffa0990fc0 a2=10 a3=0 items=0 ppid=11410 pid=11411 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1
comm="portmap" exe="/sbin/portmap" subj=root:system_r:portmap_t:s0 key=(null)

type=AVC msg=audit(1215066907.602:51): avc:  denied  { name_bind } for 
pid=11411 comm="portmap" src=988 scontext=root:system_r:portmap_t:s0
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1215066907.602:51): arch=c000003e syscall=49 success=no
exit=-13 a0=4 a1=7fffa0990fc0 a2=10 a3=0 items=0 ppid=11410 pid=11411 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1
comm="portmap" exe="/sbin/portmap" subj=root:system_r:portmap_t:s0 key=(null)

type=AVC msg=audit(1215066907.607:52): avc:  denied  { name_bind } for 
pid=11413 comm="pmap_set" src=989 scontext=root:system_r:portmap_helper_t:s0
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket

type=SYSCALL msg=audit(1215066907.607:52): arch=c000003e syscall=49 success=no
exit=-13 a0=3 a1=7fff959c2e50 a2=10 a3=486c731b items=0 ppid=11396 pid=11413
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts33 ses=1
comm="pmap_set" exe="/usr/sbin/pmap_set" subj=root:system_r:portmap_helper_t:s0
key=(null)

type=AVC msg=audit(1215066907.609:53): avc:  denied  { name_bind } for 
pid=11413 comm="pmap_set" src=990 scontext=root:system_r:portmap_helper_t:s0
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket

type=SYSCALL msg=audit(1215066907.609:53): arch=c000003e syscall=49 success=no
exit=-13 a0=3 a1=7fff959c2e50 a2=10 a3=3 items=0 ppid=11396 pid=11413 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts33 ses=1
comm="pmap_set" exe="/usr/sbin/pmap_set" subj=root:system_r:portmap_helper_t:s0
key=(null)


Comment 11 Daniel Walsh 2008-07-16 18:34:29 UTC
Fixed in selinux-policy-2.4.6-142.el5 

Comment 12 RHEL Product and Program Management 2008-07-16 18:39:57 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 15 Milos Malik 2008-10-03 14:19:52 UTC
Created attachment 319368 [details]
output of /CoreOS/selinux-policy/bugzillas/451805 test

Comment 16 Milos Malik 2008-10-03 14:25:11 UTC
Dan, could you please look at the attachment. The file contains some AVCs which appeared during the test. Before I ran the test I loaded the enableaudit policy package.

Comment 17 Daniel Walsh 2008-10-03 15:38:47 UTC
Looks like a bug

Fixed in selinux-policy-2.4.6-163.el5

Comment 20 errata-xmlrpc 2009-01-20 21:32:31 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html


Note You need to log in before you can comment on or make changes to this bug.