Bug 800501

Summary: Cannot start rpc.statd
Product: Red Hat Enterprise Linux 7 Reporter: Miroslav Vadkerti <mvadkert>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: bnater, dkutalek, mgrepl, mmalik
Target Milestone: beta   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:39:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 799508    

Description Miroslav Vadkerti 2012-03-06 15:20:08 UTC 
Description of problem:
With fresh installation of RHEL7:

# systemctl start nfs-lock.service
Job failed. See system logs and 'systemctl status' for details.

# tail /var/log/messages
Mar  6 15:03:51 dhcp-25-173 rpc.statd[14837]: Version 1.2.5 starting
Mar  6 15:03:51 dhcp-25-173 rpc.statd[14837]: Opening /var/run/rpc.statd.pid failed: Permission denied
Mar  6 15:03:51 dhcp-25-173 systemd[1]: nfs-lock.service: control process exited, code=exited status=1
Mar  6 15:03:51 dhcp-25-173 systemd[1]: Unit nfs-lock.service entered failed state.

# ausearch -ts recent -m avc
----
time->Tue Mar  6 15:03:51 2012
type=SYSCALL msg=audit(1331042631.422:264): arch=c000003e syscall=87 success=no exit=-13 a0=7fb13282d284 a1=7fff6f667bb8 a2=0 a3=7fff6f667be0 items=0 ppid=14836 pid=14837 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.statd" exe="/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)
type=AVC msg=audit(1331042631.422:264): avc:  denied  { unlink } for  pid=14837 comm="rpc.statd" name="rpc.statd.pid" dev=tmpfs ino=32415 scontext=system_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Tue Mar  6 15:03:51 2012
type=SYSCALL msg=audit(1331042631.422:265): arch=c000003e syscall=2 success=no exit=-13 a0=7fb13282d284 a1=241 a2=1b6 a3=238 items=0 ppid=14836 pid=14837 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.statd" exe="/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)
type=AVC msg=audit(1331042631.422:265): avc:  denied  { write } for  pid=14837 comm="rpc.statd" name="rpc.statd.pid" dev=tmpfs ino=32415 scontext=system_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-56.el7.noarch

How reproducible:
100% on a fresh installation

Steps to Reproduce:
1. See description
  
Actual results:
rpc.statd cannot be started

Expected results:
rpc.statd can be started

Additional info:
# restorecon -RvvF /var/run/
restorecon reset /run/rpc.statd.pid context unconfined_u:object_r:var_run_t:s0->system_u:object_r:rpcd_var_run_t:s0

Looks like pid file is created with wrong context at first time.
Comment 1 Daniel Walsh 2012-03-06 21:42:04 UTC 
Any idea who created the pid?

What version of selinux-policy are you using?
Comment 5 Branislav Náter 2013-11-13 08:04:53 UTC 
I've tried to restart rpcbind today and get two denials:

type=AVC msg=audit(1384328069.948:1447): avc:  denied  { unlink } for  pid=15929 comm="rpc.statd" name="rpc.statd.pid" dev="tmpfs" ino=778978 scontext=system_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1384328069.948:1447): arch=x86_64 syscall=unlink success=no exit=EACCES a0=7f6a1d3d00b4 a1=7fff425a9e50 a2=0 a3=7fff425a9eb0 items=0 ppid=15927 pid=15929 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rpc.statd exe=/usr/sbin/rpc.statd subj=system_u:system_r:rpcd_t:s0 key=(null)

type=AVC msg=audit(1384328069.948:1448): avc:  denied  { write } for  pid=15929 comm="rpc.statd" name="rpc.statd.pid" dev="tmpfs" ino=778978 scontext=system_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1384328069.948:1448): arch=x86_64 syscall=open success=no exit=EACCES a0=7f6a1d3d00b4 a1=241 a2=1b6 a3=1 items=0 ppid=15927 pid=15929 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rpc.statd exe=/usr/sbin/rpc.statd subj=system_u:system_r:rpcd_t:s0 key=(null)

# rpm -q selinux-policy
selinux-policy-3.12.1-99.el7.noarch

Is this issue related?
Comment 6 Milos Malik 2013-11-13 09:17:28 UTC 
I'm not sure why, but the PID file was mislabeled. Correct label is rpcd_var_run_t. When I relabeled the PID file to var_run_t and restarted rpcbind I got the same AVCs as you. restorecon -Rv /var/run fixes it.
Comment 7 Daniel Walsh 2013-11-13 17:01:48 UTC 
If you run rpc.statd by hand this will happen.
Comment 8 Branislav Náter 2013-11-14 08:57:17 UTC 
I've just restarted rpcbind service when denials occur. I've restored context and it's ok for now.
Comment 9 Ludek Smid 2014-06-13 11:39:40 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.