PDA

View Full Version : FC8: rpcbind and SeLinux still not playing nice



spribyl
20th August 2008, 02:59 PM
I am having a problem with SELinux and NFS on FC8. I did not have this problem with FC7.

Aug 20 08:15:36 n4tkhvc1 kernel: type=1400 audit(1219238136.482:130): avc: denied { read } for pid=2221 comm="rpcbind" name="hosts.deny" dev=md2 ino=72432 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file

I know that this a SELinux policy problem but don't know how to go about fixing correctly.

I found this thread but turning off SELinux not what I want to do as I am actually using it.
http://forums.fedoraforum.org/showthread.php?t=178649&highlight=selinux+rpcbind

Thanks
Steve

SlowJet
20th August 2008, 04:43 PM
The problem is most likely portmapper being replaced with rpcbind (which uses portmap and protmap is calling host.denny.)


First check for an selinx-policy-targeted update.
Koji is down so I can't see the update logs but there could be one in updates-testing or in koji.

In the mean time relabel your system.
in a root term
touch /.autorelabel
reboot

After rebooting try to trigger the message again.
If it comes up (and there is no new policy update referring to it) then

grep for the avc message from /var/log/audit/audit.log into a yourallow.log file
then use the audit2allow
# audit2allow -i /yourallow.log -M myrpcbind
# checkmodule -M -m -o myrpcbind.mod myrpcbind.te
# semodule_package -o myrpcbind.pp -m myrpcbind.mod
# semodule -i myrpcbind.pp

SJ

spribyl
20th August 2008, 04:50 PM
SJ,

Thanks I will try the relabel, Tonight.

I hesitate to create modules as I am concerned that I will open things to much and some update will correct the problem later and cause problems.

Steve

SlowJet
20th August 2008, 05:29 PM
If and when, you can remove modules
semodule -r myrpcbind

SJ