| Summary: | NFS mounts fail due to SELinux denial for rpcbind.socket on /run/rpc.statd.lock | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Paul Stauffer <paulds> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 25 | CC: | awilliam, dominick.grift, dwalsh, lvrabec, mgrepl, ngel, orion, plautrba, pmoore, rhzilla, ssekidde |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-225.3.fc25 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-12-12 23:59:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
I see this as well. rpcbind moved from /usr/sbin to /usr/bin to fix: semanage fcontext -a -t rpcbind_exec_t /usr/bin/rpcbind && restorecon -v /usr/bin/rpcbind Confirmed that updating the context of the binary resolves the problem. selinux-policy-3.13.1-225.3.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f24b3ddc6a selinux-policy-3.13.1-225.3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f24b3ddc6a selinux-policy-3.13.1-225.3.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. As a note, it seems that after a fresh install - even with selinux-policy-3.13.1-225.3.fc25 provided from the updates repository - the file is incorrectly labelled. You have to trigger a relabel (or run 'restorecon -v /usr/bin/rpcbind') to get it labelled correctly. |
Fedora 25 system recently updated from F24. SELinux enforcing. NFS mounts fail with the following two AVCs: SELinux is preventing systemd from create access on the unix_stream_socket Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd should be allowed create access on the Unknown unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:system_r:unconfined_service_t:s0 Target Objects Unknown [ unix_stream_socket ] Source systemd Source Path systemd Port <Unknown> Host wildwest.bu.edu Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-224.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name wildwest.bu.edu Platform Linux wildwest.bu.edu 4.8.11-300.fc25.x86_64 #1 SMP Mon Nov 28 18:24:51 UTC 2016 x86_64 x86_64 Alert Count 11 First Seen 2016-12-06 00:07:11 EST Last Seen 2016-12-07 09:04:40 EST Local ID e73c3724-9341-474c-b546-078fc7abd27e Raw Audit Messages type=AVC msg=audit(1481119480.654:4702): avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0 Hash: systemd,init_t,unconfined_service_t,unix_stream_socket,create SELinux is preventing rpc.statd from write access on the file /run/rpc.statd.lock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rpc.statd should be allowed write access on the rpc.statd.lock file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rpc.statd' --raw | audit2allow -M my-rpcstatd # semodule -X 300 -i my-rpcstatd.pp Additional Information: Source Context system_u:system_r:rpcd_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects /run/rpc.statd.lock [ file ] Source rpc.statd Source Path rpc.statd Port <Unknown> Host wildwest.bu.edu Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-224.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name wildwest.bu.edu Platform Linux wildwest.bu.edu 4.8.11-300.fc25.x86_64 #1 SMP Mon Nov 28 18:24:51 UTC 2016 x86_64 x86_64 Alert Count 7 First Seen 2016-12-06 00:10:01 EST Last Seen 2016-12-07 08:52:16 EST Local ID c2663192-4228-41cf-a09f-264a6add57b1 Raw Audit Messages type=AVC msg=audit(1481118736.578:4662): avc: denied { write } for pid=29132 comm="rpc.statd" path="/run/rpc.statd.lock" dev="tmpfs" ino=84159 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 Hash: rpc.statd,rpcd_t,var_run_t,file,write File indicated is var_run_t: # ls -lZ /run/rpc.statd.lock -rw-r--r--. 1 root root system_u:object_r:var_run_t:s0 0 Dec 7 08:52 /run/rpc.statd.lock # rpm -q selinux-policy systemd nfs-utils rpcbind selinux-policy-3.13.1-224.fc25.noarch systemd-231-10.fc25.x86_64 nfs-utils-1.3.4-1.rc3.fc25.x86_64 rpcbind-0.2.4-0.fc25.x86_64