Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 167235 - rpc.mountd failed to start after upgrade
Summary: rpc.mountd failed to start after upgrade
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 5
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-08-31 19:45 UTC by Orion Poplawski
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 2.4.5-4.fc5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-12-14 22:07:43 UTC


Attachments (Terms of Use)
I want you to try to load this policy module (deleted)
2006-10-24 12:49 UTC, Daniel Walsh
no flags Details
Can you try this one? (deleted)
2006-10-24 15:28 UTC, Daniel Walsh
no flags Details
Can you try this one? (deleted)
2006-10-24 15:56 UTC, Daniel Walsh
no flags Details

Description Orion Poplawski 2005-08-31 19:45:39 UTC
Description of problem:
During the recent upate to nfs-utils-1.0.7-11 rpc.mountd failed to start on a
number of machines with the following errors:

Aug 31 04:44:22 aspen rpc.mountd: Caught signal 15, un-registering and exiting.
Aug 31 04:44:26 aspen kernel: nfsd: last server has exited
Aug 31 04:44:26 aspen kernel: nfsd: unexporting all filesystems
Aug 31 04:44:26 aspen kernel: audit(1125485066.710:334): avc:  denied  { read }
for  pid=
28215 comm="rpc.rquotad" name="[3719671]" dev=pipefs ino=3719671
scontext=system_u:system
_r:rpcd_t tcontext=system_u:system_r:unconfined_t tclass=fifo_file
Aug 31 04:44:26 aspen kernel: audit(1125485066.710:335): avc:  denied  { write }
for  pid
=28215 comm="rpc.rquotad" name="[3717144]" dev=pipefs ino=3717144
scontext=system_u:syste
m_r:rpcd_t tcontext=system_u:system_r:unconfined_t tclass=fifo_file
Aug 31 04:44:27 aspen portmap[28228]: connect from 127.0.0.1 to set(mountd):
request from
 unprivileged port
Aug 31 04:44:27 aspen rpc.mountd: unable to register (mountd, 3, tcp).

I suspect the rpc.rquotad issues are separate.


How reproducible:
maybe 25%-50% of machines.


Perhaps related to bug #155940.

Comment 1 Steve Dickson 2005-09-01 11:02:19 UTC
Are you doing a lot of NFS mounts at one time (via autofs)?

Comment 2 Orion Poplawski 2005-09-20 22:04:29 UTC
I guess I don't really understand why this would affect rpc.mountd startup. 
I've also seen it fail to start at boot.

Anyways, we have 4 different autofs NIS maps (/opt, /home, /data, /data4).  But
it's generally just mounting one dir at a time.


Comment 3 Orion Poplawski 2006-01-11 17:35:05 UTC
Okay, this is getting unbearable.  I would say that rpm.mountd fails to start at
boot maybe 90% of the time.  Please get a handle on this and fix it!  This might
be a duplicate of bug 166918.

Comment 4 Orion Poplawski 2006-10-13 19:16:26 UTC
Dan - 

 I think this is the same issue as with ypbind in bug #155940 and I'm still
seeing it with selinux-policy-targeted-2.3.7-2.fc5.  Does that seem correct?

Comment 5 Orion Poplawski 2006-10-23 21:25:16 UTC
With enable audit turned on, here's what I turned up:

Oct 23 15:12:02 antero kernel: audit(1161637922.041:447): avc:  denied  {
name_bind } for  pid=5514 comm="rpc.mountd" src=631
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ipp_port_t:s0
tclass=udp_socket
Oct 23 15:13:27 antero kernel: audit(1161638007.878:713): avc:  denied  {
name_bind } for  pid=6787 comm="rpc.mountd" src=631
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ipp_port_t:s0
tclass=udp_socket
Oct 23 15:13:27 antero kernel: audit(1161638007.882:714): avc:  denied  {
name_bind } for  pid=6787 comm="rpc.mountd" src=636
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0
tclass=udp_socket
Oct 23 15:14:26 antero kernel: audit(1161638066.396:896): avc:  denied  {
name_bind } for  pid=7653 comm="rpc.mountd" src=631
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ipp_port_t:s0
tclass=udp_socket
Oct 23 15:14:26 antero kernel: audit(1161638066.416:897): avc:  denied  {
name_bind } for  pid=7653 comm="rpc.mountd" src=636
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0
tclass=udp_socket
Oct 23 15:15:09 antero kernel: audit(1161638109.040:1028): avc:  denied  {
name_bind } for  pid=8278 comm="rpc.mountd" src=847
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0
tclass=udp_socket
Oct 23 15:16:08 antero kernel: audit(1161638168.010:1214): avc:  denied  {
name_bind } for  pid=9127 comm="rpc.mountd" src=847
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0
tclass=udp_socket
Oct 23 15:16:29 antero kernel: audit(1161638189.276:1280): avc:  denied  {
name_bind } for  pid=9447 comm="rpc.mountd" src=750
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:kerberos_port_t:s0
tclass=udp_socket
Oct 23 15:17:06 antero kernel: audit(1161638226.440:1397): avc:  denied  {
name_bind } for  pid=9994 comm="rpc.mountd" src=847
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0
tclass=udp_socket
Oct 23 15:17:06 antero kernel: audit(1161638226.604:1398): avc:  denied  {
name_bind } for  pid=9994 comm="rpc.mountd" src=873
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:rsync_port_t:s0
tclass=udp_socket

these all resulted in errors like:

Oct 23 15:17:06 antero portmap[9996]: connect from 127.0.0.1 to set(mountd):
request from unprivileged port
Oct 23 15:17:06 antero mountd[9994]: unable to register (mountd, 3, udp).

and mountd not coming up.


Comment 6 Daniel Walsh 2006-10-24 12:49:10 UTC
Created attachment 139223 [details]
I want you to try to load this policy module

semodule -i rpcmountd.pp

Now try rpc.mountd

Comment 7 Orion Poplawski 2006-10-24 14:56:02 UTC
Version mismatch?

# semodule -i rpcmountd.pp
libsepol.permission_copy_callback: Module rpcmountd depends on permission
flow_out in class packet, not satisfied
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!


I built my own from the above avc's and audit2allow and that worked.



Comment 8 Daniel Walsh 2006-10-24 15:28:11 UTC
Created attachment 139234 [details]
Can you try this one?

Try this one, as this is what I want to add to policy.

You need to put this te file in a directory by itself and execute
make -f /usr/share/selinux/devel/Makefile

Comment 9 Daniel Walsh 2006-10-24 15:56:01 UTC
Created attachment 139236 [details]
Can you try this one?

Try this one, as this is what I want to add to policy.

You need to put this te file in a directory by itself and execute
make -f /usr/share/selinux/devel/Makefile

Comment 10 Orion Poplawski 2006-10-24 18:11:42 UTC
That works for me, and looks just like what fixed ypbind.

Comment 11 Daniel Walsh 2006-10-24 19:51:01 UTC
Fixed in selinux-policy-2.4.1-3

Comment 12 Orion Poplawski 2006-12-14 22:07:43 UTC
Appears fixed in 2.4.5-4.fc5


Note You need to log in before you can comment on or make changes to this bug.