Bug 980712
Summary: | SELinux prevents NFS (rpcbind) from working properly (rpc.mountd[822]: Could not bind socket: (13) Permission denied) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Julian Sikorski <belegdol> | ||||
Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 19 | CC: | belegdol, dwalsh | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-07-11 20:35:09 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Julian Sikorski
2013-07-03 05:53:00 UTC
Julian, what does # ausearch -m avc Created attachment 768309 [details]
ausearch -m avc
It does return a lot.
Output from /var/log/messages when restarting nfs.service in enforcing and permissive mode. Jul 3 17:49:01 snowball2 systemd[1]: Stopping NFS Remote Quota Server... Jul 3 17:49:01 snowball2 systemd[1]: Stopping NFS Mount Daemon... Jul 3 17:49:01 snowball2 systemd[1]: Stopping NFSv4 ID-name mapping daemon... Jul 3 17:49:01 snowball2 rpc.mountd[895]: Caught signal 15, un-registering and exiting. Jul 3 17:49:01 snowball2 systemd[1]: Stopping NFS Server... Jul 3 17:49:01 snowball2 kernel: [ 2151.481108] nfsd: last server has exited, flushing export cache Jul 3 17:49:01 snowball2 systemd[1]: Starting NFS Server... Jul 3 17:49:01 snowball2 exportfs[4062]: exportfs: Failed to stat /media/realcrypt1/filmy: No such file or directory Jul 3 17:49:01 snowball2 exportfs[4062]: exportfs: Failed to stat /media/realcrypt1/stand-up: No such file or directory Jul 3 17:49:01 snowball2 exportfs[4062]: exportfs: Failed to stat /media/realcrypt1/tv: No such file or directory Jul 3 17:49:01 snowball2 kernel: [ 2151.506195] NFSD: starting 90-second grace period (net ffffffff81cba800) Jul 3 17:49:01 snowball2 systemd[1]: Started NFS Server. Jul 3 17:49:01 snowball2 systemd[1]: Starting NFS Mount Daemon... Jul 3 17:49:01 snowball2 systemd[1]: Starting NFS Remote Quota Server... Jul 3 17:49:01 snowball2 systemd[1]: Starting NFSv4 ID-name mapping daemon... Jul 3 17:49:01 snowball2 systemd[1]: Started NFSv4 ID-name mapping daemon. Jul 3 17:49:01 snowball2 systemd[1]: Started NFS Remote Quota Server. Jul 3 17:49:01 snowball2 rpc.mountd[4082]: Could not bind socket: (13) Permission denied Jul 3 17:49:01 snowball2 rpc.mountd[4082]: Could not bind socket: (13) Permission denied Jul 3 17:49:01 snowball2 rpc.mountd[4082]: Could not bind socket: (13) Permission denied Jul 3 17:49:01 snowball2 rpc.mountd[4082]: Could not bind socket: (13) Permission denied Jul 3 17:49:01 snowball2 rpc.mountd[4082]: Could not bind socket: (13) Permission denied Jul 3 17:49:01 snowball2 rpc.mountd[4082]: Could not bind socket: (13) Permission denied Jul 3 17:49:01 snowball2 rpc.mountd[4090]: Version 1.2.7 starting Jul 3 17:49:01 snowball2 systemd[1]: Started NFS Mount Daemon. Jul 3 17:49:13 snowball2 dbus-daemon[619]: dbus[619]: avc: received setenforce notice (enforcing=0) Jul 3 17:49:13 snowball2 dbus[619]: avc: received setenforce notice (enforcing=0) Jul 3 17:49:13 snowball2 dbus[1756]: avc: received setenforce notice (enforcing=0) Jul 3 17:49:13 snowball2 dbus[2366]: avc: received setenforce notice (enforcing=0) Jul 3 17:49:13 snowball2 dbus[1645]: avc: received setenforce notice (enforcing=0) Jul 3 17:49:15 snowball2 systemd[1]: Stopping NFS Remote Quota Server... Jul 3 17:49:15 snowball2 systemd[1]: Stopping NFS Mount Daemon... Jul 3 17:49:15 snowball2 systemd[1]: Stopping NFSv4 ID-name mapping daemon... Jul 3 17:49:15 snowball2 rpc.mountd[4090]: Caught signal 15, un-registering and exiting. Jul 3 17:49:15 snowball2 systemd[1]: Stopping NFS Server... Jul 3 17:49:15 snowball2 systemd[1]: Starting NFS Server... Jul 3 17:49:15 snowball2 kernel: [ 2165.498373] nfsd: last server has exited, flushing export cache Jul 3 17:49:15 snowball2 exportfs[4114]: exportfs: Failed to stat /media/realcrypt1/filmy: No such file or directory Jul 3 17:49:15 snowball2 exportfs[4114]: exportfs: Failed to stat /media/realcrypt1/stand-up: No such file or directory Jul 3 17:49:15 snowball2 exportfs[4114]: exportfs: Failed to stat /media/realcrypt1/tv: No such file or directory Jul 3 17:49:15 snowball2 kernel: [ 2165.517265] NFSD: starting 90-second grace period (net ffffffff81cba800) Jul 3 17:49:15 snowball2 systemd[1]: Started NFS Server. Jul 3 17:49:15 snowball2 systemd[1]: Starting NFS Mount Daemon... Jul 3 17:49:15 snowball2 systemd[1]: Starting NFS Remote Quota Server... Jul 3 17:49:15 snowball2 systemd[1]: Starting NFSv4 ID-name mapping daemon... Jul 3 17:49:15 snowball2 systemd[1]: Started NFSv4 ID-name mapping daemon. Jul 3 17:49:15 snowball2 systemd[1]: Started NFS Remote Quota Server. Jul 3 17:49:15 snowball2 rpc.mountd[4143]: Version 1.2.7 starting Jul 3 17:49:15 snowball2 systemd[1]: Started NFS Mount Daemon. Jul 3 17:49:19 snowball2 fprintd[3994]: ** Message: No devices in use, exit Nothing in those logs about rpcbind or nfs, all about running wine on your machine. Seems you also have hundreds of wine_t processes running, which is strange since unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 is not even a valid label anymore? Keep in mind that audit.log might is years old (Fedora was first installed on this machine in May 2011) which probably explains obsolete labels. I was suspecting there is nothing rpcbind-related in the logs. Having said that, please have a look at comment 2: rpc.mountd fails initially, but after setting SELinux in permissive mode, the "could not bind socket" error is gone. Ok, could you re-test it in permissive and run # ausearch -m avc -ts recent Thank you. Hmm, colour me confused. Turns out that the problem has fixed itself sometime between 3 July and today. ausearch -m avc -ts recent returns nothing. The last "Could not bind socket: (13) Permission denied" was recorded in the logs on 7 July, 09:14. The first yum update after that included the following packages which could be of interest: kernel-3.9.9-301.fc19.x86_64 selinux-policy-targeted-3.12.1-59.fc19.noarch In any case, it works now. |