mysterious bind() denial for NFS mounting

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

mysterious bind() denial for NFS mounting

Postby law » Fri Feb 22, 2008 2:55 am

So, I've been banging my head on this all day and all night, and I just cannot figure out what I'm doing wrong. I'm trying to stop this error message from flooding my error logs:

Feb 22 01:50:42 somebox kernel: [ 1236.938364] grsec: (root:U:/bin/mount) denied bind() to 0.0.0.0 port 725 sock type stream protocol tcp by /bin/mount[mount:3259] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

For the root role, my /bin/mount subject looks like this:
subject /bin/mount {
/
/bin h
/bin/umount x
/dev h
/dev/pts
/dev/sda*
/lib rx
/etc
/etc/ld.so.cache r
/etc/hosts r
/etc/mtab rwcd
/etc/mtab.tmp rwcd
/etc/mtab* wcd
/etc/ssh h
/etc/grsec h
/etc/shadow* h
/etc/passwd h
/etc/selinux/config r

/var
/var/log h

# Most /proc stuff should be hidden, but some stuff needs to be read
/proc
/proc/kcore h
/proc/sys h
/proc/*/mounts r

-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_SYS_ADMIN
+CAP_SYS_TTY_CONFIG

# bind disabled
bind 0.0.0.0:0-65536 any_sock any_proto
connect 10.1.53.0/24:389 stream tcp
connect 10.1.1.122/32:53 dgram udp
connect 10.1.1.123/32:53 dgram udp
connect 10.1.1.253/32:111 stream dgram tcp udp
connect 10.1.1.252/32:2049 any_sock any_proto
connect 10.1.1.253/32:2049 any_sock any_proto
connect 0.0.0.0/32:0-65535 any_sock any_proto
}

No matter what mask I give 0.0.0.0 (/0, /32, whatever) it still continues to show up and flood the living bajeezus out of my logs. My NFS mounts still work, strangely enough, but I just can't shake this curse'd error message. Anyone out there deal with a similar problem, or have any thoughts as to what I can do?

--Lee
law
 
Posts: 15
Joined: Wed Jun 27, 2007 2:21 pm

Re: mysterious bind() denial for NFS mounting

Postby spender » Fri Feb 22, 2008 11:13 am

What if you change the 0-65536 to 0-65535 (or remove the port range completely)? If that fixes it, i'll update gradm to give an error when you specify an invalid port number. If that doesn't fix it, let me know if removing the entire bind line solves the problem.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: mysterious bind() denial for NFS mounting

Postby law » Fri Feb 22, 2008 1:27 pm

Oh. My <unprintable>. word! That worked *perfectly*! I gave it a valid port range, and it complained about needing +CAP_NET_BIND_SERVICE and hardlink access to /etc/mtab, which I gave it, and now it's happy! Thank you *so* much, I had been staring at that ACL (and getting grsec rolled out on our last few database boxes) all day, all night, and into the wee hours of the next day! Ahhh the joys of the lowly sysadmin... :P Here's the "working" ACL just for reference. Maybe it'll save some other linux ninja a late night/early morning...

subject /bin/mount {
/
/bin h
/bin/umount x
/dev h
/dev/pts
/dev/sda*
/lib rx
/etc
/etc/ld.so.cache r
/etc/fstab r
/etc/hosts r
/etc/nsswitch.conf r
/etc/resolv.conf r
/etc/host.conf r
/etc/mtab rwcdl
/etc/mtab.tmp rwcdl
/etc/mtab* rwcdl
/etc/ssh h
/etc/grsec h
/etc/shadow* h
/etc/passwd h
/etc/selinux/config r

/var
/var/log h

# Most /proc stuff should be hidden, but some stuff needs to be read
/proc
/proc/kcore h
/proc/sys h
/proc/*/mounts r

-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_SYS_ADMIN
+CAP_SYS_TTY_CONFIG
+CAP_NET_BIND_SERVICE

bind disabled
bind 0.0.0.0/0:0-65535 any_sock any_proto
connect 10.1.53.0/24:389 stream tcp
connect 10.1.1.122/32:53 dgram udp
connect 10.1.1.123/32:53 dgram udp
connect 10.1.1.253/32:111 stream dgram tcp udp
connect 10.1.1.252/32:2049 any_sock any_proto
connect 10.1.1.253/32:2049 any_sock any_proto
connect 0.0.0.0/0:0-65535 any_sock any_proto
}
law
 
Posts: 15
Joined: Wed Jun 27, 2007 2:21 pm

Re: mysterious bind() denial for NFS mounting

Postby spender » Mon Feb 25, 2008 9:46 am

Glad to help. The next version of gradm will give an error when an invalid port number is specified.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development

cron