mysterious bind() denial for NFS mounting
Posted: Fri Feb 22, 2008 2:55 am
So, I've been banging my head on this all day and all night, and I just cannot figure out what I'm doing wrong. I'm trying to stop this error message from flooding my error logs:
Feb 22 01:50:42 somebox kernel: [ 1236.938364] grsec: (root:U:/bin/mount) denied bind() to 0.0.0.0 port 725 sock type stream protocol tcp by /bin/mount[mount:3259] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
For the root role, my /bin/mount subject looks like this:
subject /bin/mount {
/
/bin h
/bin/umount x
/dev h
/dev/pts
/dev/sda*
/lib rx
/etc
/etc/ld.so.cache r
/etc/hosts r
/etc/mtab rwcd
/etc/mtab.tmp rwcd
/etc/mtab* wcd
/etc/ssh h
/etc/grsec h
/etc/shadow* h
/etc/passwd h
/etc/selinux/config r
/var
/var/log h
# Most /proc stuff should be hidden, but some stuff needs to be read
/proc
/proc/kcore h
/proc/sys h
/proc/*/mounts r
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_SYS_ADMIN
+CAP_SYS_TTY_CONFIG
# bind disabled
bind 0.0.0.0:0-65536 any_sock any_proto
connect 10.1.53.0/24:389 stream tcp
connect 10.1.1.122/32:53 dgram udp
connect 10.1.1.123/32:53 dgram udp
connect 10.1.1.253/32:111 stream dgram tcp udp
connect 10.1.1.252/32:2049 any_sock any_proto
connect 10.1.1.253/32:2049 any_sock any_proto
connect 0.0.0.0/32:0-65535 any_sock any_proto
}
No matter what mask I give 0.0.0.0 (/0, /32, whatever) it still continues to show up and flood the living bajeezus out of my logs. My NFS mounts still work, strangely enough, but I just can't shake this curse'd error message. Anyone out there deal with a similar problem, or have any thoughts as to what I can do?
--Lee
Feb 22 01:50:42 somebox kernel: [ 1236.938364] grsec: (root:U:/bin/mount) denied bind() to 0.0.0.0 port 725 sock type stream protocol tcp by /bin/mount[mount:3259] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
For the root role, my /bin/mount subject looks like this:
subject /bin/mount {
/
/bin h
/bin/umount x
/dev h
/dev/pts
/dev/sda*
/lib rx
/etc
/etc/ld.so.cache r
/etc/hosts r
/etc/mtab rwcd
/etc/mtab.tmp rwcd
/etc/mtab* wcd
/etc/ssh h
/etc/grsec h
/etc/shadow* h
/etc/passwd h
/etc/selinux/config r
/var
/var/log h
# Most /proc stuff should be hidden, but some stuff needs to be read
/proc
/proc/kcore h
/proc/sys h
/proc/*/mounts r
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_SYS_ADMIN
+CAP_SYS_TTY_CONFIG
# bind disabled
bind 0.0.0.0:0-65536 any_sock any_proto
connect 10.1.53.0/24:389 stream tcp
connect 10.1.1.122/32:53 dgram udp
connect 10.1.1.123/32:53 dgram udp
connect 10.1.1.253/32:111 stream dgram tcp udp
connect 10.1.1.252/32:2049 any_sock any_proto
connect 10.1.1.253/32:2049 any_sock any_proto
connect 0.0.0.0/32:0-65535 any_sock any_proto
}
No matter what mask I give 0.0.0.0 (/0, /32, whatever) it still continues to show up and flood the living bajeezus out of my logs. My NFS mounts still work, strangely enough, but I just can't shake this curse'd error message. Anyone out there deal with a similar problem, or have any thoughts as to what I can do?
--Lee