Bug 1410236

Summary: A dependency job for rpc-statd.service failed.
Product: [Fedora] Fedora Reporter: Bernie Hoefer <bhoefer>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 25CC: dominick.grift, dsmith, dwalsh, johannbg, lnykryn, lupinix.fedora, lvrabec, mgrepl, msekleta, muadda, pikachu.2014, plautrba, pmoore, ssahani, ssekidde, s, systemd-maint, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-12 10:15:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bernie Hoefer 2017-01-04 21:05:50 UTC 
Description of problem:

On a fresh install of Fedora 25, attempting to mount a NFS share results in this error:

  A dependency job for rpc-statd.service failed. See 'journalctl -xe'
  for details.
  mount.nfs: rpc.statd is not running but is required for remote locking.
  mount.nfs: Either use '-o nolock' to keep locks local, or start statd.

Using journalctl, we see these entries:

Jan 04 15:12:32 hostname kernel: FS-Cache: Loaded
Jan 04 15:12:32 hostname kernel: FS-Cache: Netfs 'nfs' registered for caching
Jan 04 15:12:32 hostname kernel: Key type dns_resolver registered
Jan 04 15:12:32 hostname kernel: NFS: Registering the id_resolver key type
Jan 04 15:12:32 hostname kernel: Key type id_resolver registered
Jan 04 15:12:32 hostname kernel: Key type id_legacy registered
Jan 04 15:12:32 hostname audit[1]: AVC avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0
Jan 04 15:12:32 hostname systemd[1]: rpcbind.socket: Failed to listen on sockets: Permission denied
Jan 04 15:12:32 hostname systemd[1]: Failed to listen on RPCbind Server Activation Socket.
Jan 04 15:12:32 hostname systemd[1]: Dependency failed for NFS status monitor for NFSv2/3 locking..
Jan 04 15:12:32 hostname systemd[1]: rpc-statd.service: Job rpc-statd.service/start failed with result 'dependency'.
Jan 04 15:12:32 hostname systemd[1]: rpcbind.socket: Unit entered failed state.
Jan 04 15:12:32 hostname systemd[1]: Reached target RPC Port Mapper.
Jan 04 15:12:32 hostname systemd[1]: Starting Preprocess NFS configuration...
Jan 04 15:12:32 hostname systemd[1]: Reached target Host and Network Name Lookups.
Jan 04 15:12:32 hostname systemd[1]: Started Preprocess NFS configuration.
Jan 04 15:12:32 hostname audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-config comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 04 15:12:32 hostname audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-config comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 04 15:12:32 hostname rpc.statd[1387]: Version 1.3.3 starting
Jan 04 15:12:32 hostname rpc.statd[1387]: Flags: TI-RPC
Jan 04 15:12:33 hostname rpc.statd[1387]: Failed to register (statd, 1, udp): svc_reg() err: RPC: Remote system error - Connection refused
Jan 04 15:12:33 hostname rpc.statd[1387]: Failed to register (statd, 1, tcp): svc_reg() err: RPC: Remote system error - Connection refused
Jan 04 15:12:33 hostname rpc.statd[1387]: Failed to register (statd, 1, udp6): svc_reg() err: RPC: Remote system error - Connection refused
Jan 04 15:12:33 hostname rpc.statd[1387]: Failed to register (statd, 1, tcp6): svc_reg() err: RPC: Remote system error - Connection refused
Jan 04 15:12:33 hostname rpc.statd[1387]: failed to create RPC listeners, exiting
Jan 04 15:12:35 hostname dbus-daemon[1008]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.17' (uid=0 pid=984 comm="/usr/sbin/sedispatch " label="system_u:system_r:audisp_t:s0") (using servicehelper)
Jan 04 15:12:39 hostname dbus-daemon[1008]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Jan 04 15:12:40 hostname setroubleshoot[1389]: SELinux is preventing systemd from create access on the unix_stream_socket Unknown. For complete SELinux messages. run sealert -l 5a9a6461-94bd-4d19-94af-55ed1f22a3c4
Jan 04 15:12:40 hostname python3[1389]: SELinux is preventing systemd from create access on the unix_stream_socket Unknown.

   *****  Plugin catchall (100. confidence) suggests   **************************

   If you believe that systemd should be allowed create access on the Unknown unix_stream_socket by default.
   Then you should report this as a bug.
   You can generate a local policy module to allow this access.
   Do
   allow this access for now by executing:
   # ausearch -c 'systemd' --raw | audit2allow -M my-systemd
   # semodule -X 300 -i my-systemd.pp



Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-225.3.fc25.noarch
systemd-231-10.fc25.x86_64



Steps to reproduce:

Install Fedora 25 (Xfce Desktop base environment).

Execute "mkdir -p /home/user/point".

Create an entry in /etc/fstab like this:

  nfsserver  /export/share  /home/user/point  nfs  defaults  0 0

Execute "mount /home/user/point".



Actual results:

Error is outputted and NFS share is not mounted.



Expected results:

NFS share is mounted with no errors.



Additional info:

This seems similar to BZ 1402083, "SELinux prevents systemd from starting nfs.service" except in this case the NFS Mount Daemon never starts.  (Plus that bug was fixed in the selinux-policy RPM version I am running.)

Running the "ausearch" and "semodule" commands as suggested in the journalctl output just results in newer AVC denied events.  (setopt, bind & listen)
Comment 1 Bernie Hoefer 2017-01-09 00:36:20 UTC 
I just encountered this again on another fresh install of Fedora 25.  This time with autofs on a 32-bit system running KDE.  It appears that Fedora 25's NFS mounting ability is broken, out of the box (even with updates as of today).

I would like to increase this bug's severity to high since many others will (have?) encountered this, but it seems like it is now locked to medium.
Comment 2 Christian Dersch 2017-01-23 15:13:54 UTC 
I get this too (fresh Fedora 25 installation) :(
Comment 3 Christian Dersch 2017-01-23 15:15:22 UTC 
And it also works with disabled SELinux here.
Comment 4 Zbigniew Jędrzejewski-Szmek 2017-01-28 02:39:58 UTC 
> Jan 04 15:12:32 hostname systemd[1]: rpcbind.socket: Failed to listen on sockets: Permission denied

This is between selinux and rpcbind unit configuration. Reassigning to selinux, since the policy most likely needs to change.
Comment 5 Mohamed El Morabity 2017-03-08 21:56:55 UTC 
Same issue too

$ rpm -q selinux-policy
selinux-policy-3.13.1-225.11.fc25.noarch
Comment 6 Fedora End Of Life 2017-12-12 10:15:05 UTC 
Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.