Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 167235

Summary: rpc.mountd failed to start after upgrade
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: medium    
Version: 5   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.4.5-4.fc5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-12-14 22:07:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
I want you to try to load this policy module
none
Can you try this one?
none
Can you try this one? none

Description Orion Poplawski 2005-08-31 19:45:39 UTC
Description of problem:
During the recent upate to nfs-utils-1.0.7-11 rpc.mountd failed to start on a
number of machines with the following errors:

Aug 31 04:44:22 aspen rpc.mountd: Caught signal 15, un-registering and exiting.
Aug 31 04:44:26 aspen kernel: nfsd: last server has exited
Aug 31 04:44:26 aspen kernel: nfsd: unexporting all filesystems
Aug 31 04:44:26 aspen kernel: audit(1125485066.710:334): avc:  denied  { read }
for  pid=
28215 comm="rpc.rquotad" name="[3719671]" dev=pipefs ino=3719671
scontext=system_u:system
_r:rpcd_t tcontext=system_u:system_r:unconfined_t tclass=fifo_file
Aug 31 04:44:26 aspen kernel: audit(1125485066.710:335): avc:  denied  { write }
for  pid
=28215 comm="rpc.rquotad" name="[3717144]" dev=pipefs ino=3717144
scontext=system_u:syste
m_r:rpcd_t tcontext=system_u:system_r:unconfined_t tclass=fifo_file
Aug 31 04:44:27 aspen portmap[28228]: connect from 127.0.0.1 to set(mountd):
request from
 unprivileged port
Aug 31 04:44:27 aspen rpc.mountd: unable to register (mountd, 3, tcp).

I suspect the rpc.rquotad issues are separate.


How reproducible:
maybe 25%-50% of machines.


Perhaps related to bug #155940.

Comment 1 Steve Dickson 2005-09-01 11:02:19 UTC
Are you doing a lot of NFS mounts at one time (via autofs)?

Comment 2 Orion Poplawski 2005-09-20 22:04:29 UTC
I guess I don't really understand why this would affect rpc.mountd startup. 
I've also seen it fail to start at boot.

Anyways, we have 4 different autofs NIS maps (/opt, /home, /data, /data4).  But
it's generally just mounting one dir at a time.


Comment 3 Orion Poplawski 2006-01-11 17:35:05 UTC
Okay, this is getting unbearable.  I would say that rpm.mountd fails to start at
boot maybe 90% of the time.  Please get a handle on this and fix it!  This might
be a duplicate of bug 166918.

Comment 4 Orion Poplawski 2006-10-13 19:16:26 UTC
Dan - 

 I think this is the same issue as with ypbind in bug #155940 and I'm still
seeing it with selinux-policy-targeted-2.3.7-2.fc5.  Does that seem correct?

Comment 5 Orion Poplawski 2006-10-23 21:25:16 UTC
With enable audit turned on, here's what I turned up:

Oct 23 15:12:02 antero kernel: audit(1161637922.041:447): avc:  denied  {
name_bind } for  pid=5514 comm="rpc.mountd" src=631
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ipp_port_t:s0
tclass=udp_socket
Oct 23 15:13:27 antero kernel: audit(1161638007.878:713): avc:  denied  {
name_bind } for  pid=6787 comm="rpc.mountd" src=631
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ipp_port_t:s0
tclass=udp_socket
Oct 23 15:13:27 antero kernel: audit(1161638007.882:714): avc:  denied  {
name_bind } for  pid=6787 comm="rpc.mountd" src=636
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0
tclass=udp_socket
Oct 23 15:14:26 antero kernel: audit(1161638066.396:896): avc:  denied  {
name_bind } for  pid=7653 comm="rpc.mountd" src=631
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ipp_port_t:s0
tclass=udp_socket
Oct 23 15:14:26 antero kernel: audit(1161638066.416:897): avc:  denied  {
name_bind } for  pid=7653 comm="rpc.mountd" src=636
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0
tclass=udp_socket
Oct 23 15:15:09 antero kernel: audit(1161638109.040:1028): avc:  denied  {
name_bind } for  pid=8278 comm="rpc.mountd" src=847
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0
tclass=udp_socket
Oct 23 15:16:08 antero kernel: audit(1161638168.010:1214): avc:  denied  {
name_bind } for  pid=9127 comm="rpc.mountd" src=847
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0
tclass=udp_socket
Oct 23 15:16:29 antero kernel: audit(1161638189.276:1280): avc:  denied  {
name_bind } for  pid=9447 comm="rpc.mountd" src=750
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:kerberos_port_t:s0
tclass=udp_socket
Oct 23 15:17:06 antero kernel: audit(1161638226.440:1397): avc:  denied  {
name_bind } for  pid=9994 comm="rpc.mountd" src=847
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0
tclass=udp_socket
Oct 23 15:17:06 antero kernel: audit(1161638226.604:1398): avc:  denied  {
name_bind } for  pid=9994 comm="rpc.mountd" src=873
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:rsync_port_t:s0
tclass=udp_socket

these all resulted in errors like:

Oct 23 15:17:06 antero portmap[9996]: connect from 127.0.0.1 to set(mountd):
request from unprivileged port
Oct 23 15:17:06 antero mountd[9994]: unable to register (mountd, 3, udp).

and mountd not coming up.


Comment 6 Daniel Walsh 2006-10-24 12:49:10 UTC
Created attachment 139223 [details]
I want you to try to load this policy module

semodule -i rpcmountd.pp

Now try rpc.mountd

Comment 7 Orion Poplawski 2006-10-24 14:56:02 UTC
Version mismatch?

# semodule -i rpcmountd.pp
libsepol.permission_copy_callback: Module rpcmountd depends on permission
flow_out in class packet, not satisfied
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!


I built my own from the above avc's and audit2allow and that worked.



Comment 8 Daniel Walsh 2006-10-24 15:28:11 UTC
Created attachment 139234 [details]
Can you try this one?

Try this one, as this is what I want to add to policy.

You need to put this te file in a directory by itself and execute
make -f /usr/share/selinux/devel/Makefile

Comment 9 Daniel Walsh 2006-10-24 15:56:01 UTC
Created attachment 139236 [details]
Can you try this one?

Try this one, as this is what I want to add to policy.

You need to put this te file in a directory by itself and execute
make -f /usr/share/selinux/devel/Makefile

Comment 10 Orion Poplawski 2006-10-24 18:11:42 UTC
That works for me, and looks just like what fixed ypbind.

Comment 11 Daniel Walsh 2006-10-24 19:51:01 UTC
Fixed in selinux-policy-2.4.1-3

Comment 12 Orion Poplawski 2006-12-14 22:07:43 UTC
Appears fixed in 2.4.5-4.fc5