* Re: rpc.mountd failure...
[not found] <412A0E73.5020001@comcast.net>
@ 2004-08-29 7:47 ` Russell Coker
2004-08-29 9:54 ` Luke Kenneth Casson Leighton
0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2004-08-29 7:47 UTC (permalink / raw)
To: fedora-selinux-list, SE-Linux; +Cc: Tom London, James Morris, laforge
On Tue, 24 Aug 2004 01:34, Tom London <selinux@comcast.net> wrote:
> Noticed the following, running .524 kernel and latest policy from Rawhide.
>
> > Aug 23 08:20:18 fedora nfs: Starting NFS services: succeeded
> > Aug 23 08:20:18 fedora nfs: rpc.rquotad startup succeeded
> > Aug 23 08:20:18 fedora nfs: rpc.nfsd startup succeeded
> > Aug 23 08:20:18 fedora kernel: audit(1093274418.647:0): avc: denied
> > { name_bind } for pid=2564 exe=/usr/sbin/rpc.mountd
> > scontext=system_u:system_r:nfsd_t
> > tcontext=system_u:object_r:ipp_port_t tclass=udp_socket
> > Aug 23 08:20:18 fedora portmap[2565]: connect from 127.0.0.1 to
> > set(mountd): request from unprivileged port
> > Aug 23 08:20:18 fedora rpc.mountd: unable to register (mountd, 3, udp).
> > Aug 23 08:20:18 fedora nfs: rpc.mountd startup failed
> > Aug 23 08:20:18 fedora rpcidmapd: rpc.idmapd -SIGHUP succeeded
I think that this is a lack in the kernel code.
We have to prevent such access because otherwise if the NFS server is started
or re-started when cups is not running then cups will be prevented from
working at all. Also in some situations you might have a running NFS server
with no cups installed and want to install it without rebooting.
When the kernel code selects an arbitary port to bind to it should only select
from the set of ports that the application in question is permitted to bind
to. This would also permit us to restrict an application to two ports (I
believe that restricting to only one port would not work well for a restart)
via the SE Linux policy and then use firewall rules controlling access to
those two ports (currently trying to control access to an RPC service via
iptables is really difficult).
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: rpc.mountd failure...
2004-08-29 7:47 ` rpc.mountd failure Russell Coker
@ 2004-08-29 9:54 ` Luke Kenneth Casson Leighton
0 siblings, 0 replies; 2+ messages in thread
From: Luke Kenneth Casson Leighton @ 2004-08-29 9:54 UTC (permalink / raw)
To: Russell Coker
Cc: fedora-selinux-list, SE-Linux, Tom London, James Morris, laforge
On Sun, Aug 29, 2004 at 05:47:47PM +1000, Russell Coker wrote:
> On Tue, 24 Aug 2004 01:34, Tom London <selinux@comcast.net> wrote:
> When the kernel code selects an arbitary port to bind to it should only select
> from the set of ports that the application in question is permitted to bind
> to.
oo.
that'd be _great_ because i could restrict skype to a range of ports
in the firewall rules.
and giftd (file sharing server).
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-08-29 9:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <412A0E73.5020001@comcast.net>
2004-08-29 7:47 ` rpc.mountd failure Russell Coker
2004-08-29 9:54 ` Luke Kenneth Casson Leighton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.