1354661 – [SELinux]: NFS Ganesha not starting up due to 'Cannot bind RQUOTA udp6 socket' error

Bug 1354661 - [SELinux]: NFS Ganesha not starting up due to 'Cannot bind RQUOTA udp6 socket' error

Summary: [SELinux]: NFS Ganesha not starting up due to 'Cannot bind RQUOTA udp6 socket...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	nfs-ganesha
Sub Component:
Version:	rhgs-3.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	RHGS 3.2.0
Assignee:	Kaleb KEITHLEY
QA Contact:	surabhi
Docs Contact:
URL:
Whiteboard:
Depends On:	1357508
Blocks:	1351528
TreeView+	depends on / blocked

Reported:	2016-07-11 21:54 UTC by Oonkwee Lim
Modified:	2019-11-14 08:40 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Previously, SElinux denied binding to socket listener. This caused the ganesha.nfsd fail to start. With this fix the SElinux rules are updated and the issue is resolved.
Clone Of:
Environment:
Last Closed:	2017-03-23 06:22:44 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:0493	0	normal	SHIPPED_LIVE	Red Hat Gluster Storage 3.2.0 nfs-ganesha bug fix and enhancement update	2017-03-23 09:19:13 UTC

Comment 4 Soumya Koduri 2016-07-12 06:25:06 UTC

We had also requested to check if se-linux is enabled and any AVCs reported. Can you please get response for those queries as well - 

From comment#2

* If se-linux is in enforcing mode, check '/var/log/audit.log' for any AVCs when nfs-ganesha is being started -
#getenforce
#ausearch -m avc -m user_avc -m selinux_err -i -ts recent
* Check if there are any errors/warning logged in '/var/log/messages' as well.

Comment 7 Niels de Vos 2016-07-12 16:44:14 UTC

Have you checked if rpcbind is listening and allowing connections over IPv6? In comment #6 the output of iptables is shown, but that only applies to IPv4. Use the ip6tables command as well. rpcbind should be listening on port 111, maybe netstat/ss can confirm that too.

Comment 9 Shashank Raj 2016-07-14 10:52:31 UTC

With 3.1.3, we have new ganesha conf file which would have been saved as rpmsave under /etc/ganesha. If you look into it, the rquota port is assigned port as 875 and we recommend to setup ganesha using this port number moving forward

Conf file will look like this:

NFS_Core_Param {
        #Use supplied name other tha IP In NSM operations
        NSM_Use_Caller_Name = true;
        #Copy lock states into "/var/lib/nfs/ganesha" dir
        Clustered = false;
        #By default port number '2049' is used for NFS service.
        #Configure ports for MNT, NLM, RQuota services.
        #The ports chosen here are from '/etc/sysconfig/nfs'
        MNT_Port = 20048;
        NLM_Port = 32803;
        Rquota_Port = 875;
}

Can you please try with the same and let us know if you still see the issue. Also, please add the relevant services in firewalld as mentioned in below doc link under 7.2.4 NFS-Ganesha section:

http://jenkinscat.gsslab.pnq.redhat.com:8080/view/Gluster/job/doc-Red_Hat_Gluster_Storage-3.1.3-Administration_Guide%20%28html-single%29/lastBuild/artifact/tmp/en-US/html-single/index.html#sect-NFS_Ganesha

Comment 10 Shashank Raj 2016-07-18 12:00:17 UTC

I tried reproducing this issue with other port than 875, i can see the same issue with AVC denials for unreserved_port in audit.log

ganesha.conf:

NFS_Core_Param {
        #Use supplied name other tha IP In NSM operations
        NSM_Use_Caller_Name = true;
        #Copy lock states into "/var/lib/nfs/ganesha" dir
        Clustered = false;
        #By default port number '2049' is used for NFS service.
        #Configure ports for MNT, NLM, RQuota services.
        #The ports chosen here are from '/etc/sysconfig/nfs'
        MNT_Port = 20048;
        NLM_Port = 32803;
        Rquota_Port = 8750;
}


from ganesha logs:

18/07/2016 07:43:52 : epoch 1a100000 : dhcp43-208.lab.eng.blr.redhat.com : ganesha.nfsd-30912[main] Bind_sockets_V6 :DISP :WARN :Cannot bind RQUOTA udp6 socket, error 13 (Permission denied)
18/07/2016 07:43:52 : epoch 1a100000 : dhcp43-208.lab.eng.blr.redhat.com : ganesha.nfsd-30912[main] Bind_sockets :DISP :FATAL :Error binding to V6 interface. Cannot continue.


Following AVC's in audit.log:

type=AVC msg=audit(1468842120.174:587): avc:  denied  { name_bind } for  pid=30640 comm="ganesha.nfsd" src=8750 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket

type=AVC msg=audit(1468842120.146:611): avc:  denied  { name_bind } for  pid=30335 comm="ganesha.nfsd" src=8750 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket

type=AVC msg=audit(1468842120.138:635): avc:  denied  { name_bind } for  pid=29146 comm="ganesha.nfsd" src=8750 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket

type=AVC msg=audit(1468842120.176:610): avc:  denied  { name_bind } for  pid=29790 comm="ganesha.nfsd" src=8750 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket

Below bug has been filed to track it:

https://bugzilla.redhat.com/show_bug.cgi?id=1357508

Comment 11 Shashank Raj 2016-07-18 12:03:05 UTC

Workaround to proceed ahead is as mentioned in comment 9.

Comment 12 Shashank Raj 2016-07-18 15:03:06 UTC

As mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1357508#c1, this issue is fixed in 7.3

Since the recommended settings for 3.1.3 is as mentioned in comment 9 and which will work fine, Do you think we need to have a fix for this in 7.2 as well?

Please confirm and based on that, i will update the corresponding selinux bug.

Comment 13 Oonkwee Lim 2016-07-19 17:07:36 UTC

Hello Shashank,

The customer did not try the workaround yet.

Comment 14 Shashank Raj 2016-07-27 16:20:58 UTC

Hi,

Do we have any updates on this (as mentioned in comment 12)?

Comment 15 Shashank Raj 2016-08-08 16:31:32 UTC

Any Updates on this?

There is a dependent bug on selinux team (https://bugzilla.redhat.com/show_bug.cgi?id=1357508), which is fixed for 7.3 and they want to close it.

So if we want a fix for 7.2.z, we need to update that bug.

Can you please confirm the same?

Comment 16 Soumya Koduri 2016-09-01 13:58:13 UTC

I see that the customer case attached is in CLOSED state. The required fix in selinux-policy is already merged in 7.3. Based on these, proposing this bug to 3.2.0 release. QE can re-verify this bug once RHEL 7.3 GA is available.

Comment 20 Kaleb KEITHLEY 2016-09-19 16:29:18 UTC

Usually we get a fix backported to RHEL Z-stream (7.2 Z-stream in this case) from Lukas (lvrabec)

He can tell us which, if any, Z-stream fix is available.

Comment 25 surabhi 2016-11-17 09:42:56 UTC

The avc mentioned is not seen with latest builds based on RHEL7.3 and nfs-ganesha starts successfully.

Marking the BZ verified. (On RHEL7.3)


selinux-policy-3.13.1-102.el7_3.4.noarch
selinux-policy-targeted-3.13.1-102.el7_3.4.noarch
nfs-ganesha-2.4.1-1.el7rhgs.x86_64
nfs-ganesha-gluster-2.4.1-1.el7rhgs.x86_64

Comment 26 Bhavana 2017-03-08 06:49:29 UTC

Hi Soumya,

I have edited the doc text further. Let me know if this looks ok.

Comment 27 Soumya Koduri 2017-03-08 06:51:17 UTC

Hi Bhavana,

The changes look good to me.

Comment 29 errata-xmlrpc 2017-03-23 06:22:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2017-0493.html

Note You need to log in before you can comment on or make changes to this bug.