Bug 476585
| Summary: | NFS statd fails on startup | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jackie <mellomann01> |
| Component: | nfs-utils | Assignee: | Steve Dickson <steved> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | low | ||
| Version: | 9 | CC: | darryl.bond, dedourek, jlayton, joao.cid, mattias.ellert, nhorman, rich, steved, volpial3 |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-12-18 12:31:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jackie
2008-12-15 22:52:17 UTC
Hi, rpc2 isn't the package you're looking for. I've corrected the component. Thanks. Is rpcbind running when this fails? (In reply to comment #2) > Is rpcbind running when this fails? Actually no. SElinux was preventing rpcbind from starting for some reason. I disabled SElinux, started rpcbind, and was then able to start nfslock. This is the SElinux denial message: Summary: SELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by rpcbind. It is not expected that this access is required by rpcbind and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:rpcbind_t:s0 Target Context unconfined_u:system_r:rpcbind_t:s0 Target Objects None [ capability ] Source rpcbind Source Path /sbin/rpcbind Port <Unknown> Host lptp Source RPM Packages rpcbind-0.1.7-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-111.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name lptp Platform Linux lptp 2.6.27.8 #1 SMP Sat Dec 6 12:01:11 CST 2008 i686 i686 Alert Count 1 First Seen Tue 16 Dec 2008 04:48:54 PM CST Last Seen Tue 16 Dec 2008 04:51:39 PM CST Local ID aa504a09-0c65-49f0-8de5-222cfcd3d35f Line Numbers Raw Audit Messages node=lptp type=AVC msg=audit(1229467899.253:25): avc: denied { setgid } for pid=3271 comm="rpcbind" capability=6 scontext=unconfined_u:system_r:rpcbind_t:s0 tcontext=unconfined_u:system_r:rpcbind_t:s0 tclass=capability node=lptp type=SYSCALL msg=audit(1229467899.253:25): arch=40000003 syscall=214 success=yes exit=0 a0=20 a1=b7eb69bc a2=b7deb5b0 a3=bfd47300 items=0 ppid=3270 pid=3271 auid=500 uid=0 gid=32 euid=0 suid=0 fsuid=0 egid=32 sgid=32 fsgid=32 tty=(none) ses=1 comm="rpcbind" exe="/sbin/rpcbind" subj=unconfined_u:system_r:rpcbind_t:s0 key=(null) I have also found that my Fedora 9 fails to start nfs statd on boot-up and fails to turn-off rpcbind when shutting down. On December 7th everything was working OK and the bug appeared after having run yum update. After the update the two following warnings were issued by setroubleshootd:
SummarySELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t. Detailed DescriptionSELinux denied access requested by rpcbind. It is not expected that this access is required by rpcbind and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing AccessYou can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional InformationSource Context: unconfined_u:system_r:rpcbind_t:s0Target Context: unconfined_u:system_r:rpcbind_t:s0Target Objects: None [ capability ]Source: rpcbindSource Path: /sbin/rpcbindPort: <Unknown>Host: ws0lSource RPM Packages: rpcbind-0.1.7-1.fc9Target RPM Packages: Policy RPM: selinux-policy-3.3.1-111.fc9Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: catchallHost Name: ws0lPlatform: Linux ws0l 2.6.27.5-41.fc9.i686 #1 SMP Thu Nov 13 20:52:14 EST 2008 i686 i686Alert Count: 1First Seen: Wed 17 Dec 2008 05:41:01 PM UTCLast Seen: Wed 17 Dec 2008 05:41:01 PM UTCLocal ID: 47ae0003-ed81-4d6e-9dec-a37808ebd394Line Numbers: Raw Audit Messages :node=ws0l type=AVC msg=audit(1229535661.718:38): avc: denied { setgid } for pid=6941 comm="rpcbind" capability=6 scontext=unconfined_u:system_r:rpcbind_t:s0 tcontext=unconfined_u:system_r:rpcbind_t:s0 tclass=capability node=ws0l type=SYSCALL msg=audit(1229535661.718:38): arch=40000003 syscall=214 success=no exit=-1 a0=20 a1=2db9bc a2=2105b0 a3=bfa23b90 items=0 ppid=6940 pid=6941 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="rpcbind" exe="/sbin/rpcbind" subj=unconfined_u:system_r:rpcbind_t:s0 key=(null)
SummarySELinux is preventing sshd (sshd_t) "search" crond_t. Detailed DescriptionSELinux denied access requested by sshd. It is not expected that this access is required by sshd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing AccessYou can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional InformationSource Context: system_u:system_r:sshd_t:s0-s0:c0.c1023Target Context: system_u:system_r:crond_t:s0-s0:c0.c1023Target Objects: None [ key ]Source: sshdSource Path: /usr/sbin/sshdPort: <Unknown>Host: ws0lSource RPM Packages: openssh-server-5.1p1-3.fc9Target RPM Packages: Policy RPM: selinux-policy-3.3.1-107.fc9Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: catchallHost Name: ws0lPlatform: Linux ws0l 2.6.27.5-41.fc9.i686 #1 SMP Thu Nov 13 20:52:14 EST 2008 i686 i686Alert Count: 15First Seen: Tue 02 Dec 2008 09:16:11 AM UTCLast Seen: Tue 02 Dec 2008 10:27:44 AM UTCLocal ID: 832c4a89-e9a6-4521-9590-e026f21e82b7Line Numbers: Raw Audit Messages :node=ws0l type=AVC msg=audit(1228213664.81:195): avc: denied { search } for pid=3431 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key node=ws0l type=SYSCALL msg=audit(1228213664.81:195): arch=40000003 syscall=288 success=no exit=-13 a0=0 a1=fffffffd a2=0 a3=0 items=0 ppid=2350 pid=3431 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
the selinux-policy-3.3.1-115 is available in the yum repos which fixes this problem... please update... The selinux-policy can also be found at: http://koji.fedoraproject.org/koji/buildinfo?buildID=73996 *** Bug 476919 has been marked as a duplicate of this bug. *** *** Bug 476928 has been marked as a duplicate of this bug. *** |