Bug 476585

Summary: NFS statd fails on startup
Product: [Fedora] Fedora Reporter: Jackie <mellomann01>
Component: nfs-utilsAssignee: Steve Dickson <steved>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 9CC: dbond, dedourek, jlayton, joao.cid, mattias.ellert, nhorman, rich, steved, volpial3
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-12-18 07:31:27 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Jackie 2008-12-15 17:52:17 EST
Description of problem:

NFS statd fails during boot

Version-Release number of selected component (if applicable):
1.1.2

How reproducible:

Every time I boot the machine

Steps to Reproduce:
1.Boot machine
2.See Starting NFS statd:         [FAILED]
3.Also get same when you try to start it from the command line
  
   service nfslock start
   Starting NFS statd:         [FAILED]
  
Actual results:


Expected results:


Additional info:

This is what is showing up in my log:

Dec 15 16:28:03 lptp rpc.statd[3115]: Version 1.1.2 Starting
Dec 15 16:28:04 lptp rpc.statd[3115]: unable to register (statd, 1, udp).
Dec 15 16:28:08 lptp rpc.statd[3168]: Version 1.1.2 Starting
Dec 15 16:28:08 lptp rpc.statd[3168]: unable to register (statd, 1, udp).
Comment 1 Adam Goode 2008-12-15 19:54:05 EST
Hi, rpc2 isn't the package you're looking for. I've corrected the component. Thanks.
Comment 2 Jeff Layton 2008-12-16 06:56:02 EST
Is rpcbind running when this fails?
Comment 3 Jackie 2008-12-16 17:57:09 EST
(In reply to comment #2)
> Is rpcbind running when this fails?

Actually no. SElinux was preventing rpcbind from starting for some reason. I disabled SElinux, started rpcbind, and was then able to start nfslock.

This is the SElinux denial message:

Summary:

SELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by rpcbind. It is not expected that this access
is required by rpcbind and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:rpcbind_t:s0
Target Context                unconfined_u:system_r:rpcbind_t:s0
Target Objects                None [ capability ]
Source                        rpcbind
Source Path                   /sbin/rpcbind
Port                          <Unknown>
Host                          lptp
Source RPM Packages           rpcbind-0.1.7-1.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-111.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     lptp
Platform                      Linux lptp 2.6.27.8 #1 SMP Sat
                              Dec 6 12:01:11 CST 2008 i686 i686
Alert Count                   1
First Seen                    Tue 16 Dec 2008 04:48:54 PM CST
Last Seen                     Tue 16 Dec 2008 04:51:39 PM CST
Local ID                      aa504a09-0c65-49f0-8de5-222cfcd3d35f
Line Numbers                  

Raw Audit Messages            

node=lptp type=AVC msg=audit(1229467899.253:25): avc:  denied  { setgid } for  pid=3271 comm="rpcbind" capability=6 scontext=unconfined_u:system_r:rpcbind_t:s0 tcontext=unconfined_u:system_r:rpcbind_t:s0 tclass=capability

node=lptp type=SYSCALL msg=audit(1229467899.253:25): arch=40000003 syscall=214 success=yes exit=0 a0=20 a1=b7eb69bc a2=b7deb5b0 a3=bfd47300 items=0 ppid=3270 pid=3271 auid=500 uid=0 gid=32 euid=0 suid=0 fsuid=0 egid=32 sgid=32 fsgid=32 tty=(none) ses=1 comm="rpcbind" exe="/sbin/rpcbind" subj=unconfined_u:system_r:rpcbind_t:s0 key=(null)
Comment 4 Alessandro Volpi 2008-12-17 15:57:58 EST
I have also found that my Fedora 9 fails to start nfs statd on boot-up and fails to turn-off rpcbind when shutting down. On December 7th everything was working OK and the bug appeared after having run yum update. After the update the two following warnings were issued by setroubleshootd:

SummarySELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t. Detailed DescriptionSELinux denied access requested by rpcbind. It is not expected that this access is required by rpcbind and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing AccessYou can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional InformationSource Context:  unconfined_u:system_r:rpcbind_t:s0Target Context:  unconfined_u:system_r:rpcbind_t:s0Target Objects:  None [ capability ]Source:  rpcbindSource Path:  /sbin/rpcbindPort:  <Unknown>Host:  ws0lSource RPM Packages:  rpcbind-0.1.7-1.fc9Target RPM Packages:  Policy RPM:  selinux-policy-3.3.1-111.fc9Selinux Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  catchallHost Name:  ws0lPlatform:  Linux ws0l 2.6.27.5-41.fc9.i686 #1 SMP Thu Nov 13 20:52:14 EST 2008 i686 i686Alert Count:  1First Seen:  Wed 17 Dec 2008 05:41:01 PM UTCLast Seen:  Wed 17 Dec 2008 05:41:01 PM UTCLocal ID:  47ae0003-ed81-4d6e-9dec-a37808ebd394Line Numbers:  Raw Audit Messages :node=ws0l type=AVC msg=audit(1229535661.718:38): avc: denied { setgid } for pid=6941 comm="rpcbind" capability=6 scontext=unconfined_u:system_r:rpcbind_t:s0 tcontext=unconfined_u:system_r:rpcbind_t:s0 tclass=capability node=ws0l type=SYSCALL msg=audit(1229535661.718:38): arch=40000003 syscall=214 success=no exit=-1 a0=20 a1=2db9bc a2=2105b0 a3=bfa23b90 items=0 ppid=6940 pid=6941 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="rpcbind" exe="/sbin/rpcbind" subj=unconfined_u:system_r:rpcbind_t:s0 key=(null) 

SummarySELinux is preventing sshd (sshd_t) "search" crond_t. Detailed DescriptionSELinux denied access requested by sshd. It is not expected that this access is required by sshd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing AccessYou can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional InformationSource Context:  system_u:system_r:sshd_t:s0-s0:c0.c1023Target Context:  system_u:system_r:crond_t:s0-s0:c0.c1023Target Objects:  None [ key ]Source:  sshdSource Path:  /usr/sbin/sshdPort:  <Unknown>Host:  ws0lSource RPM Packages:  openssh-server-5.1p1-3.fc9Target RPM Packages:  Policy RPM:  selinux-policy-3.3.1-107.fc9Selinux Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  catchallHost Name:  ws0lPlatform:  Linux ws0l 2.6.27.5-41.fc9.i686 #1 SMP Thu Nov 13 20:52:14 EST 2008 i686 i686Alert Count:  15First Seen:  Tue 02 Dec 2008 09:16:11 AM UTCLast Seen:  Tue 02 Dec 2008 10:27:44 AM UTCLocal ID:  832c4a89-e9a6-4521-9590-e026f21e82b7Line Numbers:  Raw Audit Messages :node=ws0l type=AVC msg=audit(1228213664.81:195): avc: denied { search } for pid=3431 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key node=ws0l type=SYSCALL msg=audit(1228213664.81:195): arch=40000003 syscall=288 success=no exit=-13 a0=0 a1=fffffffd a2=0 a3=0 items=0 ppid=2350 pid=3431 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
Comment 5 Steve Dickson 2008-12-18 07:31:27 EST
the selinux-policy-3.3.1-115 is available in the yum repos which
fixes this problem... please update... 

The selinux-policy can also be found at:
http://koji.fedoraproject.org/koji/buildinfo?buildID=73996
Comment 6 Steve Dickson 2008-12-18 07:32:35 EST
*** Bug 476919 has been marked as a duplicate of this bug. ***
Comment 7 Steve Dickson 2008-12-18 07:33:35 EST
*** Bug 476928 has been marked as a duplicate of this bug. ***