* Re: rpc.mountd failure... [not found] <412A0E73.5020001@comcast.net> @ 2004-08-29 7:47 ` Russell Coker 2004-08-29 9:54 ` Luke Kenneth Casson Leighton 0 siblings, 1 reply; 2+ messages in thread From: Russell Coker @ 2004-08-29 7:47 UTC (permalink / raw) To: fedora-selinux-list, SE-Linux; +Cc: Tom London, James Morris, laforge On Tue, 24 Aug 2004 01:34, Tom London <selinux@comcast.net> wrote: > Noticed the following, running .524 kernel and latest policy from Rawhide. > > > Aug 23 08:20:18 fedora nfs: Starting NFS services: succeeded > > Aug 23 08:20:18 fedora nfs: rpc.rquotad startup succeeded > > Aug 23 08:20:18 fedora nfs: rpc.nfsd startup succeeded > > Aug 23 08:20:18 fedora kernel: audit(1093274418.647:0): avc: denied > > { name_bind } for pid=2564 exe=/usr/sbin/rpc.mountd > > scontext=system_u:system_r:nfsd_t > > tcontext=system_u:object_r:ipp_port_t tclass=udp_socket > > Aug 23 08:20:18 fedora portmap[2565]: connect from 127.0.0.1 to > > set(mountd): request from unprivileged port > > Aug 23 08:20:18 fedora rpc.mountd: unable to register (mountd, 3, udp). > > Aug 23 08:20:18 fedora nfs: rpc.mountd startup failed > > Aug 23 08:20:18 fedora rpcidmapd: rpc.idmapd -SIGHUP succeeded I think that this is a lack in the kernel code. We have to prevent such access because otherwise if the NFS server is started or re-started when cups is not running then cups will be prevented from working at all. Also in some situations you might have a running NFS server with no cups installed and want to install it without rebooting. When the kernel code selects an arbitary port to bind to it should only select from the set of ports that the application in question is permitted to bind to. This would also permit us to restrict an application to two ports (I believe that restricting to only one port would not work well for a restart) via the SE Linux policy and then use firewall rules controlling access to those two ports (currently trying to control access to an RPC service via iptables is really difficult). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: rpc.mountd failure... 2004-08-29 7:47 ` rpc.mountd failure Russell Coker @ 2004-08-29 9:54 ` Luke Kenneth Casson Leighton 0 siblings, 0 replies; 2+ messages in thread From: Luke Kenneth Casson Leighton @ 2004-08-29 9:54 UTC (permalink / raw) To: Russell Coker Cc: fedora-selinux-list, SE-Linux, Tom London, James Morris, laforge On Sun, Aug 29, 2004 at 05:47:47PM +1000, Russell Coker wrote: > On Tue, 24 Aug 2004 01:34, Tom London <selinux@comcast.net> wrote: > When the kernel code selects an arbitary port to bind to it should only select > from the set of ports that the application in question is permitted to bind > to. oo. that'd be _great_ because i could restrict skype to a range of ports in the firewall rules. and giftd (file sharing server). -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-08-29 9:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <412A0E73.5020001@comcast.net>
2004-08-29 7:47 ` rpc.mountd failure Russell Coker
2004-08-29 9:54 ` Luke Kenneth Casson Leighton
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.