Bug 167235

Summary: rpc.mountd failed to start after upgrade
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: medium    
Version: 5   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.4.5-4.fc5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-12-14 22:07:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
I want you to try to load this policy module
none
Can you try this one?
none
Can you try this one? none

Description Orion Poplawski 2005-08-31 19:45:39 UTC 
Description of problem:
During the recent upate to nfs-utils-1.0.7-11 rpc.mountd failed to start on a
number of machines with the following errors:

Aug 31 04:44:22 aspen rpc.mountd: Caught signal 15, un-registering and exiting.
Aug 31 04:44:26 aspen kernel: nfsd: last server has exited
Aug 31 04:44:26 aspen kernel: nfsd: unexporting all filesystems
Aug 31 04:44:26 aspen kernel: audit(1125485066.710:334): avc:  denied  { read }
for  pid=
28215 comm="rpc.rquotad" name="[3719671]" dev=pipefs ino=3719671
scontext=system_u:system
_r:rpcd_t tcontext=system_u:system_r:unconfined_t tclass=fifo_file
Aug 31 04:44:26 aspen kernel: audit(1125485066.710:335): avc:  denied  { write }
for  pid
=28215 comm="rpc.rquotad" name="[3717144]" dev=pipefs ino=3717144
scontext=system_u:syste
m_r:rpcd_t tcontext=system_u:system_r:unconfined_t tclass=fifo_file
Aug 31 04:44:27 aspen portmap[28228]: connect from 127.0.0.1 to set(mountd):
request from
 unprivileged port
Aug 31 04:44:27 aspen rpc.mountd: unable to register (mountd, 3, tcp).

I suspect the rpc.rquotad issues are separate.


How reproducible:
maybe 25%-50% of machines.


Perhaps related to bug #155940.
Comment 1 Steve Dickson 2005-09-01 11:02:19 UTC 
Are you doing a lot of NFS mounts at one time (via autofs)?
Comment 2 Orion Poplawski 2005-09-20 22:04:29 UTC 
I guess I don't really understand why this would affect rpc.mountd startup. 
I've also seen it fail to start at boot.

Anyways, we have 4 different autofs NIS maps (/opt, /home, /data, /data4).  But
it's generally just mounting one dir at a time.
Comment 3 Orion Poplawski 2006-01-11 17:35:05 UTC 
Okay, this is getting unbearable.  I would say that rpm.mountd fails to start at
boot maybe 90% of the time.  Please get a handle on this and fix it!  This might
be a duplicate of bug 166918.
Comment 4 Orion Poplawski 2006-10-13 19:16:26 UTC 
Dan - 

 I think this is the same issue as with ypbind in bug #155940 and I'm still
seeing it with selinux-policy-targeted-2.3.7-2.fc5.  Does that seem correct?
Comment 5 Orion Poplawski 2006-10-23 21:25:16 UTC 
With enable audit turned on, here's what I turned up:

Oct 23 15:12:02 antero kernel: audit(1161637922.041:447): avc:  denied  {
name_bind } for  pid=5514 comm="rpc.mountd" src=631
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ipp_port_t:s0
tclass=udp_socket
Oct 23 15:13:27 antero kernel: audit(1161638007.878:713): avc:  denied  {
name_bind } for  pid=6787 comm="rpc.mountd" src=631
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ipp_port_t:s0
tclass=udp_socket
Oct 23 15:13:27 antero kernel: audit(1161638007.882:714): avc:  denied  {
name_bind } for  pid=6787 comm="rpc.mountd" src=636
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0
tclass=udp_socket
Oct 23 15:14:26 antero kernel: audit(1161638066.396:896): avc:  denied  {
name_bind } for  pid=7653 comm="rpc.mountd" src=631
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ipp_port_t:s0
tclass=udp_socket
Oct 23 15:14:26 antero kernel: audit(1161638066.416:897): avc:  denied  {
name_bind } for  pid=7653 comm="rpc.mountd" src=636
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0
tclass=udp_socket
Oct 23 15:15:09 antero kernel: audit(1161638109.040:1028): avc:  denied  {
name_bind } for  pid=8278 comm="rpc.mountd" src=847
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0
tclass=udp_socket
Oct 23 15:16:08 antero kernel: audit(1161638168.010:1214): avc:  denied  {
name_bind } for  pid=9127 comm="rpc.mountd" src=847
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0
tclass=udp_socket
Oct 23 15:16:29 antero kernel: audit(1161638189.276:1280): avc:  denied  {
name_bind } for  pid=9447 comm="rpc.mountd" src=750
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:kerberos_port_t:s0
tclass=udp_socket
Oct 23 15:17:06 antero kernel: audit(1161638226.440:1397): avc:  denied  {
name_bind } for  pid=9994 comm="rpc.mountd" src=847
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0
tclass=udp_socket
Oct 23 15:17:06 antero kernel: audit(1161638226.604:1398): avc:  denied  {
name_bind } for  pid=9994 comm="rpc.mountd" src=873
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:rsync_port_t:s0
tclass=udp_socket

these all resulted in errors like:

Oct 23 15:17:06 antero portmap[9996]: connect from 127.0.0.1 to set(mountd):
request from unprivileged port
Oct 23 15:17:06 antero mountd[9994]: unable to register (mountd, 3, udp).

and mountd not coming up.
Comment 6 Daniel Walsh 2006-10-24 12:49:10 UTC 
Created attachment 139223 [details]
I want you to try to load this policy module

semodule -i rpcmountd.pp

Now try rpc.mountd
Comment 7 Orion Poplawski 2006-10-24 14:56:02 UTC 
Version mismatch?

# semodule -i rpcmountd.pp
libsepol.permission_copy_callback: Module rpcmountd depends on permission
flow_out in class packet, not satisfied
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!


I built my own from the above avc's and audit2allow and that worked.
Comment 8 Daniel Walsh 2006-10-24 15:28:11 UTC 
Created attachment 139234 [details]
Can you try this one?

Try this one, as this is what I want to add to policy.

You need to put this te file in a directory by itself and execute
make -f /usr/share/selinux/devel/Makefile
Comment 9 Daniel Walsh 2006-10-24 15:56:01 UTC 
Created attachment 139236 [details]
Can you try this one?

Try this one, as this is what I want to add to policy.

You need to put this te file in a directory by itself and execute
make -f /usr/share/selinux/devel/Makefile
Comment 10 Orion Poplawski 2006-10-24 18:11:42 UTC 
That works for me, and looks just like what fixed ypbind.
Comment 11 Daniel Walsh 2006-10-24 19:51:01 UTC 
Fixed in selinux-policy-2.4.1-3
Comment 12 Orion Poplawski 2006-12-14 22:07:43 UTC 
Appears fixed in 2.4.5-4.fc5