Bug ID | 1193984 |
---|---|
Summary | SELinux: targeted: rpcinfo violation |
Classification | openSUSE |
Product | openSUSE Distribution |
Version | Leap 15.3 |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Other |
Assignee | screening-team-bugs@suse.de |
Reporter | okir@suse.com |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
This is with Leap 15.3 and the targeted SELinux policy from MicroOS 5.1 This is a two-node configuration. Running rpcinfo on the client, trying to perform a NULL call to the server's rpcbind: /sbin/rpcinfo -T udp $server_ip portmapper The test user is tied to SELinux user staff_u. This results in the following audit message: audit: type=1400 audit(1640160326.582:12): avc: denied { name_bind } for pid=4754 comm="rpcinfo" src=690 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=1 It's possible that this is harmless (rpcinfo may just try to do a bindresvport() call in case it's running with privileges). However, in order to avoid noise, we may want to patch this out for euid != 0.