Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 980712

Summary: SELinux prevents NFS (rpcbind) from working properly (rpc.mountd[822]: Could not bind socket: (13) Permission denied)
Product: [Fedora] Fedora Reporter: Julian Sikorski <belegdol>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: belegdol, dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-11 20:35:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
ausearch -m avc none

Description Julian Sikorski 2013-07-03 05:53:00 UTC
Description of problem:
Since upgrading to F-19, NFS is not working for me unless I set SELinux to permissive. The following is in /var/log/messages:

Jul  3 07:33:45 snowball2 exportfs[762]: exportfs: Failed to stat /media/realcrypt1/filmy: No such file or directory
Jul  3 07:33:45 snowball2 exportfs[762]: exportfs: Failed to stat /media/realcrypt1/stand-up: No such file or directory
Jul  3 07:33:45 snowball2 exportfs[762]: exportfs: Failed to stat /media/realcrypt1/tv: No such file or directory
Jul  3 07:33:45 snowball2 kernel: [   25.985633] NFSD: starting 90-second grace period (net ffffffff81cba800)
Jul  3 07:33:45 snowball2 systemd[1]: Started NFS Server.
Jul  3 07:33:46 snowball2 systemd[1]: Starting NFS Mount Daemon...
Jul  3 07:33:46 snowball2 systemd[1]: Starting NFS Remote Quota Server...
Jul  3 07:33:46 snowball2 systemd[1]: Starting NFSv4 ID-name mapping daemon...
Jul  3 07:33:46 snowball2 systemd[1]: Started NFS Remote Quota Server.
Jul  3 07:33:46 snowball2 systemd[1]: Started NFSv4 ID-name mapping daemon.
Jul  3 07:33:46 snowball2 systemd[1]: Started NFS Mount Daemon.
Jul  3 07:33:46 snowball2 rpc.mountd[822]: Could not bind socket: (13) Permission denied
Jul  3 07:33:46 snowball2 rpc.mountd[822]: Could not bind socket: (13) Permission denied
Jul  3 07:33:46 snowball2 rpc.mountd[822]: Could not bind socket: (13) Permission denied
Jul  3 07:33:46 snowball2 rpc.mountd[822]: Could not bind socket: (13) Permission denied
Jul  3 07:33:46 snowball2 rpc.mountd[822]: Could not bind socket: (13) Permission denied
Jul  3 07:33:46 snowball2 rpc.mountd[822]: Could not bind socket: (13) Permission denied
Jul  3 07:33:46 snowball2 rpc.mountd[895]: Version 1.2.7 starting


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-54.fc19.noarch

How reproducible:
always

Steps to Reproduce:
1. systemctl restart rpcbind.service

Actual results:
could not bind socket

Expected results:
nfs works

Additional info:
I have already tried full re-labeling, but it it did not help.

Comment 1 Miroslav Grepl 2013-07-03 08:02:37 UTC
Julian,
what does

# ausearch -m avc

Comment 2 Julian Sikorski 2013-07-03 15:47:49 UTC
Created attachment 768309 [details]
ausearch -m avc

It does return a lot.

Comment 3 Julian Sikorski 2013-07-03 15:50:39 UTC
Output from /var/log/messages when restarting nfs.service in enforcing and permissive mode.

Jul  3 17:49:01 snowball2 systemd[1]: Stopping NFS Remote Quota Server...
Jul  3 17:49:01 snowball2 systemd[1]: Stopping NFS Mount Daemon...
Jul  3 17:49:01 snowball2 systemd[1]: Stopping NFSv4 ID-name mapping daemon...
Jul  3 17:49:01 snowball2 rpc.mountd[895]: Caught signal 15, un-registering and exiting.
Jul  3 17:49:01 snowball2 systemd[1]: Stopping NFS Server...
Jul  3 17:49:01 snowball2 kernel: [ 2151.481108] nfsd: last server has exited, flushing export cache
Jul  3 17:49:01 snowball2 systemd[1]: Starting NFS Server...
Jul  3 17:49:01 snowball2 exportfs[4062]: exportfs: Failed to stat /media/realcrypt1/filmy: No such file or directory
Jul  3 17:49:01 snowball2 exportfs[4062]: exportfs: Failed to stat /media/realcrypt1/stand-up: No such file or directory
Jul  3 17:49:01 snowball2 exportfs[4062]: exportfs: Failed to stat /media/realcrypt1/tv: No such file or directory
Jul  3 17:49:01 snowball2 kernel: [ 2151.506195] NFSD: starting 90-second grace period (net ffffffff81cba800)
Jul  3 17:49:01 snowball2 systemd[1]: Started NFS Server.
Jul  3 17:49:01 snowball2 systemd[1]: Starting NFS Mount Daemon...
Jul  3 17:49:01 snowball2 systemd[1]: Starting NFS Remote Quota Server...
Jul  3 17:49:01 snowball2 systemd[1]: Starting NFSv4 ID-name mapping daemon...
Jul  3 17:49:01 snowball2 systemd[1]: Started NFSv4 ID-name mapping daemon.
Jul  3 17:49:01 snowball2 systemd[1]: Started NFS Remote Quota Server.
Jul  3 17:49:01 snowball2 rpc.mountd[4082]: Could not bind socket: (13) Permission denied
Jul  3 17:49:01 snowball2 rpc.mountd[4082]: Could not bind socket: (13) Permission denied
Jul  3 17:49:01 snowball2 rpc.mountd[4082]: Could not bind socket: (13) Permission denied
Jul  3 17:49:01 snowball2 rpc.mountd[4082]: Could not bind socket: (13) Permission denied
Jul  3 17:49:01 snowball2 rpc.mountd[4082]: Could not bind socket: (13) Permission denied
Jul  3 17:49:01 snowball2 rpc.mountd[4082]: Could not bind socket: (13) Permission denied
Jul  3 17:49:01 snowball2 rpc.mountd[4090]: Version 1.2.7 starting
Jul  3 17:49:01 snowball2 systemd[1]: Started NFS Mount Daemon.
Jul  3 17:49:13 snowball2 dbus-daemon[619]: dbus[619]: avc:  received setenforce notice (enforcing=0)
Jul  3 17:49:13 snowball2 dbus[619]: avc:  received setenforce notice (enforcing=0)
Jul  3 17:49:13 snowball2 dbus[1756]: avc:  received setenforce notice (enforcing=0)
Jul  3 17:49:13 snowball2 dbus[2366]: avc:  received setenforce notice (enforcing=0)
Jul  3 17:49:13 snowball2 dbus[1645]: avc:  received setenforce notice (enforcing=0)
Jul  3 17:49:15 snowball2 systemd[1]: Stopping NFS Remote Quota Server...
Jul  3 17:49:15 snowball2 systemd[1]: Stopping NFS Mount Daemon...
Jul  3 17:49:15 snowball2 systemd[1]: Stopping NFSv4 ID-name mapping daemon...
Jul  3 17:49:15 snowball2 rpc.mountd[4090]: Caught signal 15, un-registering and exiting.
Jul  3 17:49:15 snowball2 systemd[1]: Stopping NFS Server...
Jul  3 17:49:15 snowball2 systemd[1]: Starting NFS Server...
Jul  3 17:49:15 snowball2 kernel: [ 2165.498373] nfsd: last server has exited, flushing export cache
Jul  3 17:49:15 snowball2 exportfs[4114]: exportfs: Failed to stat /media/realcrypt1/filmy: No such file or directory
Jul  3 17:49:15 snowball2 exportfs[4114]: exportfs: Failed to stat /media/realcrypt1/stand-up: No such file or directory
Jul  3 17:49:15 snowball2 exportfs[4114]: exportfs: Failed to stat /media/realcrypt1/tv: No such file or directory
Jul  3 17:49:15 snowball2 kernel: [ 2165.517265] NFSD: starting 90-second grace period (net ffffffff81cba800)
Jul  3 17:49:15 snowball2 systemd[1]: Started NFS Server.
Jul  3 17:49:15 snowball2 systemd[1]: Starting NFS Mount Daemon...
Jul  3 17:49:15 snowball2 systemd[1]: Starting NFS Remote Quota Server...
Jul  3 17:49:15 snowball2 systemd[1]: Starting NFSv4 ID-name mapping daemon...
Jul  3 17:49:15 snowball2 systemd[1]: Started NFSv4 ID-name mapping daemon.
Jul  3 17:49:15 snowball2 systemd[1]: Started NFS Remote Quota Server.
Jul  3 17:49:15 snowball2 rpc.mountd[4143]: Version 1.2.7 starting
Jul  3 17:49:15 snowball2 systemd[1]: Started NFS Mount Daemon.
Jul  3 17:49:19 snowball2 fprintd[3994]: ** Message: No devices in use, exit

Comment 4 Daniel Walsh 2013-07-10 22:35:14 UTC
Nothing in those logs about rpcbind or nfs, all about running wine on your machine.

Seems you also have hundreds of wine_t processes running, which is strange since 

unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023  is not even a valid label anymore?

Comment 5 Julian Sikorski 2013-07-11 05:36:20 UTC
Keep in mind that audit.log might is years old (Fedora was first installed on this machine in May 2011) which probably explains obsolete labels.
I was suspecting there is nothing rpcbind-related in the logs. Having said that, please have a look at comment 2: rpc.mountd fails initially, but after setting SELinux in permissive mode, the "could not bind socket" error is gone.

Comment 6 Miroslav Grepl 2013-07-11 15:08:14 UTC
Ok, could you re-test it in permissive and run

# ausearch -m avc -ts recent

Thank you.

Comment 7 Julian Sikorski 2013-07-11 20:35:09 UTC
Hmm, colour me confused. Turns out that the problem has fixed itself sometime between 3 July and today. ausearch -m avc -ts recent returns nothing.
The last "Could not bind socket: (13) Permission denied" was recorded in the logs on 7 July, 09:14. The first yum update after that included the following packages which could be of interest:
kernel-3.9.9-301.fc19.x86_64
selinux-policy-targeted-3.12.1-59.fc19.noarch
In any case, it works now.