Bug 1623410

Summary: avc denied { unlink} and { write }for comm="rpc.statd" after mask and unmask rpc-statd.service
Product: Red Hat Enterprise Linux 7 Reporter: Yongcheng Yang <yoyang>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: lvrabec, mgrepl, mmalik, plautrba, ssekidde, vmojzis, xzhou, yoyang, zpytela
Target Milestone: rcKeywords: Reproducer
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1629665 (view as bug list) Environment:
Last Closed: 2019-02-28 19:17:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1629665    

Description Yongcheng Yang 2018-08-29 09:59:29 UTC 
Description of problem:
After configuring NFS server as nfsv4 only (e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1387694#c24) and trying to mount with v3 (which get failed as expected), then we can find the "rpc.statd" AVC denied warning when restarting nfs.service (which may trigger rpc.statd start).

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-219.el7

How reproducible:
always

Steps to Reproduce:
As follows

Actual results:
[root ~]# systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket
Created symlink from /etc/systemd/system/rpc-statd.service to /dev/null.
Created symlink from /etc/systemd/system/rpcbind.service to /dev/null.
Created symlink from /etc/systemd/system/rpcbind.socket to /dev/null.
[root ~]# cat /etc/sysconfig/nfs
RPCNFSDARGS="-N 2 -N 3 -U"
RPCMOUNTDOPTS="-N 2 -N 3"
[root ~]# systemctl restart nfs
[root ~]# exportfs -v
/export_test    <world>(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,no_root_squash,no_all_squash)
[root ~]# cat /proc/fs/nfsd/versions
-2 -3 +4 +4.1 +4.2
###################################
## mounting with vers=3 should fail
###################################
[root ~]# mount localhost:/export_test /mnt -o vers=3
Failed to start rpc-statd.service: Unit is masked.
mount.nfs: rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd.
mount.nfs: an incorrect mount option was specified
[root ~]# echo $?
32
[root ~]# systemctl unmask --now rpc-statd.service rpcbind.service rpcbind.socket
Removed symlink /etc/systemd/system/rpc-statd.service.
Removed symlink /etc/systemd/system/rpcbind.service.
Removed symlink /etc/systemd/system/rpcbind.socket.
[root ~]# systemctl start rpcbind
[root ~]# cat /var/log/audit/audit.log | grep denied
[root ~]# systemctl restart nfs
[root ~]# cat /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1535535707.386:843): avc:  denied  { unlink } for  pid=3810 comm="rpc.statd" name="rpc.statd.pid" dev="tmpfs" ino=128704 scontext=system_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1535535707.386:845): avc:  denied  { write } for  pid=3810 comm="rpc.statd" name="rpc.statd.pid" dev="tmpfs" ino=128704 scontext=system_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
[root ~]# rpm -q selinux-policy
selinux-policy-3.13.1-219.el7.noarch
[root ~]# rpm -q nfs-utils
nfs-utils-1.3.0-0.60.el7.x86_64
[root ~]# 


Expected results:
No avc denied warning

Additional info:
N/A
Comment 2 Lukas Vrabec 2018-08-29 10:41:50 UTC 
HI, 

If you remove this pid file by hand. (# rm -rf /var/run/rpc.statd.pid) and reproduce the scenario, is it working? 

THanks,
Lukas.
Comment 3 Milos Malik 2018-08-29 19:39:07 UTC 
The /var/run/rpc.statd.pid file is mislabeled. Following command should fix it:

# restorecon -v /var/run/rpc.statd.pid

I'm interested in how it got mislabeled.
Comment 4 Yongcheng Yang 2018-08-30 01:31:19 UTC 
Hi Lukas and Milos,

Thanks for your suggestions.

Both "rm -f" and "restorecon -v" with file "/var/run/rpc.statd.pid" can fix this issue!

#########################
# Without any workaround
#########################
[root~]# echo > /var/log/audit/audit.log
[root~]# systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket
Created symlink from /etc/systemd/system/rpc-statd.service to /dev/null.
Created symlink from /etc/systemd/system/rpcbind.service to /dev/null.
Created symlink from /etc/systemd/system/rpcbind.socket to /dev/null.
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:11 /var/run/rpc.statd.pid
[root~]# systemctl restart nfs
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:11 /var/run/rpc.statd.pid
[root~]# mount localhost:/export_test /mnt -o vers=3
Failed to start rpc-statd.service: Unit is masked.
mount.nfs: rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd.
mount.nfs: an incorrect mount option was specified
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:12 /var/run/rpc.statd.pid
[root~]# systemctl unmask --now rpc-statd.service rpcbind.service rpcbind.socket
Removed symlink /etc/systemd/system/rpc-statd.service.
Removed symlink /etc/systemd/system/rpcbind.service.
Removed symlink /etc/systemd/system/rpcbind.socket.
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:12 /var/run/rpc.statd.pid
[root~]# cat /var/log/audit/audit.log | grep denied
[root~]# systemctl start rpcbind
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:12 /var/run/rpc.statd.pid
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root~]# cat /var/log/audit/audit.log | grep denied
[root~]# systemctl start nfs
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
ls: cannot access /var/run/rpc.statd.pid: No such file or directory
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root~]# cat /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1535591621.609:1023): avc:  denied  { unlink } for  pid=4716 comm="rpc.statd" name="rpc.statd.pid" dev="tmpfs" ino=138007 scontext=system_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1535591621.609:1024): avc:  denied  { write } for  pid=4716 comm="rpc.statd" name="rpc.statd.pid" dev="tmpfs" ino=138007 scontext=system_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
[root~]# 


#########################
# Removing rpc.statd.pid
#########################
[root~]# echo > /var/log/audit/audit.log
[root~]# systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket
Created symlink from /etc/systemd/system/rpc-statd.service to /dev/null.
Created symlink from /etc/systemd/system/rpcbind.service to /dev/null.
Created symlink from /etc/systemd/system/rpcbind.socket to /dev/null.
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:19 /var/run/rpc.statd.pid
[root~]# systemctl restart nfs
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:19 /var/run/rpc.statd.pid
[root~]# mount localhost:/export_test /mnt -o vers=3
Failed to start rpc-statd.service: Unit is masked.
mount.nfs: rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd.
mount.nfs: an incorrect mount option was specified
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:21 /var/run/rpc.statd.pid
[root~]# systemctl unmask --now rpc-statd.service rpcbind.service rpcbind.socket
Removed symlink /etc/systemd/system/rpc-statd.service.
Removed symlink /etc/systemd/system/rpcbind.service.
Removed symlink /etc/systemd/system/rpcbind.socket.
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:21 /var/run/rpc.statd.pid
[root~]# systemctl start rpcbind
[root~]# cat /var/log/audit/audit.log | grep denied
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:21 /var/run/rpc.statd.pid
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root~]# rm /var/run/rpc.statd.pid    <<<<<<<<<<<<<<<<
rm: remove regular empty file ‘/var/run/rpc.statd.pid’? y
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
ls: cannot access /var/run/rpc.statd.pid: No such file or directory
[root~]# systemctl start nfs
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 5 Aug 29 21:22 /var/run/rpc.statd.pid
5071
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root~]# cat /var/log/audit/audit.log | grep denied
[root~]# 
[root~]# systemctl status rpc-statd
● rpc-statd.service - NFS status monitor for NFSv2/3 locking.
   Loaded: loaded (/usr/lib/systemd/system/rpc-statd.service; static; vendor preset: disabled)
   Active: active (running) since Wed 2018-08-29 21:22:08 EDT; 2min 41s ago
...

#########################
# Executing "restorecon -v"
#########################
[root~]# echo > /var/log/audit/audit.log
[root~]# systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket
Created symlink from /etc/systemd/system/rpc-statd.service to /dev/null.
Created symlink from /etc/systemd/system/rpcbind.service to /dev/null.
Created symlink from /etc/systemd/system/rpcbind.socket to /dev/null.
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
ls: cannot access /var/run/rpc.statd.pid: No such file or directory
[root~]# systemctl restart nfs
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
ls: cannot access /var/run/rpc.statd.pid: No such file or directory
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root~]# mount localhost:/export_test /mnt -o vers=3
Failed to start rpc-statd.service: Unit is masked.
mount.nfs: rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd.
mount.nfs: an incorrect mount option was specified
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:15 /var/run/rpc.statd.pid
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root~]# systemctl unmask --now rpc-statd.service rpcbind.service rpcbind.socket
Removed symlink /etc/systemd/system/rpc-statd.service.
Removed symlink /etc/systemd/system/rpcbind.service.
Removed symlink /etc/systemd/system/rpcbind.socket.
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:15 /var/run/rpc.statd.pid
[root~]# systemctl start rpcbind
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:15 /var/run/rpc.statd.pid
[root~]# cat /var/log/audit/audit.log | grep denied
[root~]# restorecon -v /var/run/rpc.statd.pid    <<<<<<<<<<
restorecon reset /run/rpc.statd.pid context unconfined_u:object_r:var_run_t:s0->unconfined_u:object_r:rpcd_var_run_t:s0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:15 /var/run/rpc.statd.pid
[root~]# systemctl start nfs
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 5 Aug 29 21:18 /var/run/rpc.statd.pid
4868
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root~]# cat /var/log/audit/audit.log | grep denied
[root~]# systemctl status rpc-statd
● rpc-statd.service - NFS status monitor for NFSv2/3 locking.
   Loaded: loaded (/usr/lib/systemd/system/rpc-statd.service; static; vendor preset: disabled)
   Active: active (running) since Wed 2018-08-29 21:18:30 EDT; 26s ago
...
Comment 5 Lukas Vrabec 2018-08-30 07:48:05 UTC 
Can I close this bug?
Comment 6 Yongcheng Yang 2018-08-30 08:06:38 UTC 
So is this not a bug? Or something others' problem?

I thought comment #2 and comment #3 are just workaround before.

Shouldn't we go to investigate why "/var/run/rpc.statd.pid" got mislabeled?
Comment 7 Milos Malik 2018-08-30 08:08:13 UTC 
(In reply to Yongcheng Yang from comment #6)
> So is this not a bug? Or something others' problem?
> 
> I thought comment #2 and comment #3 are just workaround before.
> 
> Shouldn't we go to investigate why "/var/run/rpc.statd.pid" got mislabeled?

I agree. We should find out.
Comment 9 Zdenek Pytela 2019-02-28 19:17:02 UTC 
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.