Bug 167235
Summary: | rpc.mountd failed to start after upgrade | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> | ||||||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> | ||||||||
Severity: | high | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | 5 | ||||||||||
Target Milestone: | --- | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | 2.4.5-4.fc5 | Doc Type: | Bug Fix | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2006-12-14 22:07:43 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Orion Poplawski
2005-08-31 19:45:39 UTC
Are you doing a lot of NFS mounts at one time (via autofs)? I guess I don't really understand why this would affect rpc.mountd startup. I've also seen it fail to start at boot. Anyways, we have 4 different autofs NIS maps (/opt, /home, /data, /data4). But it's generally just mounting one dir at a time. Okay, this is getting unbearable. I would say that rpm.mountd fails to start at boot maybe 90% of the time. Please get a handle on this and fix it! This might be a duplicate of bug 166918. Dan - I think this is the same issue as with ypbind in bug #155940 and I'm still seeing it with selinux-policy-targeted-2.3.7-2.fc5. Does that seem correct? With enable audit turned on, here's what I turned up: Oct 23 15:12:02 antero kernel: audit(1161637922.041:447): avc: denied { name_bind } for pid=5514 comm="rpc.mountd" src=631 scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ipp_port_t:s0 tclass=udp_socket Oct 23 15:13:27 antero kernel: audit(1161638007.878:713): avc: denied { name_bind } for pid=6787 comm="rpc.mountd" src=631 scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ipp_port_t:s0 tclass=udp_socket Oct 23 15:13:27 antero kernel: audit(1161638007.882:714): avc: denied { name_bind } for pid=6787 comm="rpc.mountd" src=636 scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=udp_socket Oct 23 15:14:26 antero kernel: audit(1161638066.396:896): avc: denied { name_bind } for pid=7653 comm="rpc.mountd" src=631 scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ipp_port_t:s0 tclass=udp_socket Oct 23 15:14:26 antero kernel: audit(1161638066.416:897): avc: denied { name_bind } for pid=7653 comm="rpc.mountd" src=636 scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=udp_socket Oct 23 15:15:09 antero kernel: audit(1161638109.040:1028): avc: denied { name_bind } for pid=8278 comm="rpc.mountd" src=847 scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0 tclass=udp_socket Oct 23 15:16:08 antero kernel: audit(1161638168.010:1214): avc: denied { name_bind } for pid=9127 comm="rpc.mountd" src=847 scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0 tclass=udp_socket Oct 23 15:16:29 antero kernel: audit(1161638189.276:1280): avc: denied { name_bind } for pid=9447 comm="rpc.mountd" src=750 scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:kerberos_port_t:s0 tclass=udp_socket Oct 23 15:17:06 antero kernel: audit(1161638226.440:1397): avc: denied { name_bind } for pid=9994 comm="rpc.mountd" src=847 scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0 tclass=udp_socket Oct 23 15:17:06 antero kernel: audit(1161638226.604:1398): avc: denied { name_bind } for pid=9994 comm="rpc.mountd" src=873 scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:rsync_port_t:s0 tclass=udp_socket these all resulted in errors like: Oct 23 15:17:06 antero portmap[9996]: connect from 127.0.0.1 to set(mountd): request from unprivileged port Oct 23 15:17:06 antero mountd[9994]: unable to register (mountd, 3, udp). and mountd not coming up. Created attachment 139223 [details]
I want you to try to load this policy module
semodule -i rpcmountd.pp
Now try rpc.mountd
Version mismatch? # semodule -i rpcmountd.pp libsepol.permission_copy_callback: Module rpcmountd depends on permission flow_out in class packet, not satisfied libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! I built my own from the above avc's and audit2allow and that worked. Created attachment 139234 [details]
Can you try this one?
Try this one, as this is what I want to add to policy.
You need to put this te file in a directory by itself and execute
make -f /usr/share/selinux/devel/Makefile
Created attachment 139236 [details]
Can you try this one?
Try this one, as this is what I want to add to policy.
You need to put this te file in a directory by itself and execute
make -f /usr/share/selinux/devel/Makefile
That works for me, and looks just like what fixed ypbind. Fixed in selinux-policy-2.4.1-3 Appears fixed in 2.4.5-4.fc5 |