[DSE-Dev] Bug#1049428: selinux-policy-default: statd and mountd fail to start with fixed ports

Colin Simpson Colin.Simpson at shyster.org.uk
Tue Aug 15 17:52:12 BST 2023 

Package: selinux-policy-default
Version: 2:2.20221101-10
Severity: important

Dear Maintainer,

When I fix the NFS ports to allow firewalling of NFS Services
SELinux prevents rpc.statd or rpc.mountd starting.

Aug 15 12:31:34 deb12 rpc.statd[811]: Version 2.6.2 starting
Aug 15 12:31:34 deb12 rpc.statd[811]: Flags: TI-RPC
Aug 15 12:31:34 deb12 rpc.statd[811]: Could not bind socket: (13) Permission denied
Aug 15 12:31:34 deb12 rpc.statd[811]: Could not bind socket: (13) Permission denied
Aug 15 12:31:34 deb12 rpc.statd[811]: Could not bind socket: (13) Permission denied
Aug 15 12:31:34 deb12 rpc.statd[811]: Could not bind socket: (13) Permission denied
Aug 15 12:31:34 deb12 rpc.statd[811]: failed to create RPC listeners, exiting
.
.
Aug 15 12:31:34 deb12 systemd[1]: rpc-statd.service: Control process exited, code=exited, status=1/FAILURE
Aug 15 12:31:23 deb12 systemd[1]: Mounted run-rpc_pipefs.mount - RPC Pipe File System.
Aug 15 12:31:24 deb12 systemd[1]: Starting nfs-mountd.service - NFS Mount Daemon...
Aug 15 12:31:24 deb12 rpc.mountd[758]: Could not bind socket: (13) Permission denied
Aug 15 12:31:24 deb12 rpc.mountd[758]: Could not bind socket: (13) Permission denied
.
Aug 15 12:31:24 deb12 rpc.mountd[758]: mountd: No V2 or V3 listeners created!
Aug 15 12:31:24 deb12 rpc.mountd[760]: Version 2.6.2 starting
Aug 15 12:31:24 deb12 systemd[1]: Started nfs-mountd.service - NFS Mount Daemon.

I get a bit further if I set these ports in nfs_port_t:

semanage  port -l | grep nfs
nfs_port_t                     tcp      4003, 4002, 4001, 2049
nfs_port_t                     udp      4003, 4002, 4001, 2049

And I have applied:
setsebool -P nfs_export_all_rw 1

I now get mountd to start but statd is still failing..

Aug 15 16:29:33 deb12 rpc.statd[695]: Could not bind socket: (13) Permission denied

Also opened this upstream but not sure if an upstream issue, that
was probably the wrong thing to do:
https://github.com/SELinuxProject/refpolicy/issues/629

This all works fine in permissive mode and there is nothing reported by audit2allow on the 
log file.

Thanks

Colin Simpson

-- System Information:
Debian Release: 12.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-10-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Enforcing - Policy name: default

Versions of packages selinux-policy-default depends on:
ii  libselinux1      3.4-1+b6
ii  libsemanage2     3.4-1+b5
ii  libsepol2        3.4-2.1
ii  policycoreutils  3.4-1
ii  selinux-utils    3.4-1+b6

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  3.4-1+b2
ii  setools      4.4.1-2

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

More information about the SELinux-devel mailing list