1474593 – SELinux is denying rpcbind from creating a direcory in /run

Bug 1474593 - SELinux is denying rpcbind from creating a direcory in /run

Summary: SELinux is denying rpcbind from creating a direcory in /run

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	26
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-07-25 02:09 UTC by louisgtwo
Modified:	2018-05-03 15:32 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-05-03 15:32:31 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description louisgtwo 2017-07-25 02:09:38 UTC

Just installed f26 server and nfs-server failed to start. Think it's a selinux problem.

 audit[2875]: AVC avc:  denied  { create } for  pid=2875 comm="systemd-tmpfile" name="rpcbind" scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir per
 systemd-tmpfiles[2875]: Failed to create directory or subvolume "/run/rpcbind": Permission denied
 rpcbind[2874]: rpcbind: /run/rpcbind/rpcbind.lock: No such file or directory
 systemd[1]: rpcbind.service: Main process exited, code=exited, status=1/FAILURE

Comment 1 Daniel Walsh 2017-07-25 12:41:40 UTC

Is rpcbind running systemd-tmpfile?

Comment 2 louisgtwo 2017-07-25 15:16:15 UTC

I think so. F26 has 3.13.1-260.1 and the changelog has this: 

* Mon Jun 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-258 - Allow rpcbind_t to execute systemd_tmpfiles_exec_t binary files.

Comment 3 louisgtwo 2017-07-26 03:46:29 UTC

This only happens on fresh installs. When /run/rpcbind does not yet exist. I placed the system in permissive mode, started the service and everything started fine. /run/rpcbind was created. Back in enforcing mode the service starts and stops fine, even through reboots.

Comment 4 Joe Doss 2017-07-31 17:17:25 UTC

(In reply to louisgtwo from comment #3)
> This only happens on fresh installs. When /run/rpcbind does not yet exist. I
> placed the system in permissive mode, started the service and everything
> started fine. /run/rpcbind was created. Back in enforcing mode the service
> starts and stops fine, even through reboots.

I can confirm what louisgtwo has said. This issue totally breaks the Fedora 26 Cloud Base Images for Vagrant. You can't use NFS out of the box.

Comment 5 Fedora End Of Life 2018-05-03 08:39:01 UTC

This message is a reminder that Fedora 26 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 26. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '26'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 26 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Note You need to log in before you can comment on or make changes to this bug.