I ran something similar for the upstream report.
Okay audit2allow now says:
#============= rpcd_t ==============
allow rpcd_t nfs_port_t:tcp_socket name_bind;
allow rpcd_t nfs_port_t:udp_socket name_bind;
allow rpcd_t nfsd_fs_t:dir search;
allow rpcd_t nfsd_fs_t:file { open read };
Or the raw log if that's more what you want:
type=AVC msg=audit(1692348946.100:70): avc: denied { name_bind } for
pid=687 comm="rpc.statd" src=4001 scontext=system_u:system_r:rpcd_t:s0
tcontext=system_u:object_r:nfs_port_t:s0 tclass=udp_socket permissive=0
type=SYSCALL msg=audit(1692348946.100:70): arch=c000003e syscall=49
success=no exit=-13 a0=8 a1=55ac43c8da00 a2=10 a3=7ffdfc06cff0 items=0
ppid=681 pid=687 auid=4294967295 uid=116 gid=65534 euid=116 suid=116
fsuid=116 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295
comm="rpc.statd" exe="/usr/sbin/rpc.statd"
subj=system_u:system_r:rpcd_t:s0 key=(null)ARCH=x86_64 SYSCALL=bind
AUID="unset" UID="statd" GID="nogroup" EUID="statd" SUID="statd"
FSUID="statd" EGID="nogroup" SGID="nogroup" FSGID="nogroup"
type=PROCTITLE msg=audit(1692348946.100:70):
proctitle="/sbin/rpc.statd"
type=AVC msg=audit(1692348946.100:71): avc: denied { name_bind } for
pid=687 comm="rpc.statd" src=4001 scontext=system_u:system_r:rpcd_t:s0
tcontext=system_u:object_r:nfs_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1692348946.100:71): arch=c000003e syscall=49
success=no exit=-13 a0=8 a1=55ac43c8da00 a2=10 a3=7ffdfc06cff0 items=0
ppid=681 pid=687 auid=4294967295 uid=116 gid=65534 euid=116 suid=116
fsuid=116 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295
comm="rpc.statd" exe="/usr/sbin/rpc.statd"
subj=system_u:system_r:rpcd_t:s0 key=(null)ARCH=x86_64 SYSCALL=bind
AUID="unset" UID="statd" GID="nogroup" EUID="statd" SUID="statd"
FSUID="statd" EGID="nogroup" SGID="nogroup" FSGID="nogroup"
type=PROCTITLE msg=audit(1692348946.100:71):
proctitle="/sbin/rpc.statd"
type=AVC msg=audit(1692348946.100:72): avc: denied { name_bind } for
pid=687 comm="rpc.statd" src=4001 scontext=system_u:system_r:rpcd_t:s0
tcontext=system_u:object_r:nfs_port_t:s0 tclass=udp_socket permissive=0
type=SYSCALL msg=audit(1692348946.100:72): arch=c000003e syscall=49
success=no exit=-13 a0=8 a1=55ac43c8f080 a2=1c a3=7ffdfc06cff0 items=0
ppid=681 pid=687 auid=4294967295 uid=116 gid=65534 euid=116 suid=116
fsuid=116 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295
comm="rpc.statd" exe="/usr/sbin/rpc.statd"
subj=system_u:system_r:rpcd_t:s0 key=(null)ARCH=x86_64 SYSCALL=bind
AUID="unset" UID="statd" GID="nogroup" EUID="statd" SUID="statd"
FSUID="statd" EGID="nogroup" SGID="nogroup" FSGID="nogroup"
type=PROCTITLE msg=audit(1692348946.100:72):
proctitle="/sbin/rpc.statd"
type=AVC msg=audit(1692348946.100:73): avc: denied { name_bind } for
pid=687 comm="rpc.statd" src=4001 scontext=system_u:system_r:rpcd_t:s0
tcontext=system_u:object_r:nfs_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1692348946.100:73): arch=c000003e syscall=49
success=no exit=-13 a0=8 a1=55ac43c8f080 a2=1c a3=7ffdfc06cff0 items=0
ppid=681 pid=687 auid=4294967295 uid=116 gid=65534 euid=116 suid=116
fsuid=116 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295
comm="rpc.statd" exe="/usr/sbin/rpc.statd"
subj=system_u:system_r:rpcd_t:s0 key=(null)ARCH=x86_64 SYSCALL=bind
AUID="unset" UID="statd" GID="nogroup" EUID="statd" SUID="statd"
FSUID="statd" EGID="nogroup" SGID="nogroup" FSGID="nogroup"
type=PROCTITLE msg=audit(1692348946.100:73):
proctitle="/sbin/rpc.statd"
type=SERVICE_START msg=audit(1692348946.100:74): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=rpc-statd comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1692348946.184:85): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=rpc-statd-notify comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'UID="root" AUID="unset" undefinedundefined
On Thu, 2023-08-24 at 23:47 +1000, Russell Coker wrote:
> > This all works fine in permissive mode and there is nothing
> > reported by
> > audit2allow on the log file.
>
> Please run "semodule -DB" and then reproduce the problem, the -D
> option means
> to remove dontaudit rules and the -B option means to rebuild the
> policy that
> is loaded into the kernel. After that you will get lots of messages
> you
> previously didn't get and you can grep /var/log/audit/audit.log for
> the
> relevant ones.
>
