1623410 – avc denied { unlink} and { write }for comm="rpc.statd" after mask and unmask rpc-statd.service

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1623410 - avc denied { unlink} and { write }for comm="rpc.statd" after mask and unmask rpc-statd.service

Summary: avc denied { unlink} and { write }for comm="rpc.statd" after mask and unmask ...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1629665
TreeView+	depends on / blocked

Reported:	2018-08-29 09:59 UTC by Yongcheng Yang
Modified:	2019-02-28 19:17 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1629665 (view as bug list)
Environment:
Last Closed:	2019-02-28 19:17:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Yongcheng Yang 2018-08-29 09:59:29 UTC

Description of problem:
After configuring NFS server as nfsv4 only (e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1387694#c24) and trying to mount with v3 (which get failed as expected), then we can find the "rpc.statd" AVC denied warning when restarting nfs.service (which may trigger rpc.statd start).

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-219.el7

How reproducible:
always

Steps to Reproduce:
As follows

Actual results:
[root ~]# systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket
Created symlink from /etc/systemd/system/rpc-statd.service to /dev/null.
Created symlink from /etc/systemd/system/rpcbind.service to /dev/null.
Created symlink from /etc/systemd/system/rpcbind.socket to /dev/null.
[root ~]# cat /etc/sysconfig/nfs
RPCNFSDARGS="-N 2 -N 3 -U"
RPCMOUNTDOPTS="-N 2 -N 3"
[root ~]# systemctl restart nfs
[root ~]# exportfs -v
/export_test    <world>(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,no_root_squash,no_all_squash)
[root ~]# cat /proc/fs/nfsd/versions
-2 -3 +4 +4.1 +4.2
###################################
## mounting with vers=3 should fail
###################################
[root ~]# mount localhost:/export_test /mnt -o vers=3
Failed to start rpc-statd.service: Unit is masked.
mount.nfs: rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd.
mount.nfs: an incorrect mount option was specified
[root ~]# echo $?
32
[root ~]# systemctl unmask --now rpc-statd.service rpcbind.service rpcbind.socket
Removed symlink /etc/systemd/system/rpc-statd.service.
Removed symlink /etc/systemd/system/rpcbind.service.
Removed symlink /etc/systemd/system/rpcbind.socket.
[root ~]# systemctl start rpcbind
[root ~]# cat /var/log/audit/audit.log | grep denied
[root ~]# systemctl restart nfs
[root ~]# cat /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1535535707.386:843): avc:  denied  { unlink } for  pid=3810 comm="rpc.statd" name="rpc.statd.pid" dev="tmpfs" ino=128704 scontext=system_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1535535707.386:845): avc:  denied  { write } for  pid=3810 comm="rpc.statd" name="rpc.statd.pid" dev="tmpfs" ino=128704 scontext=system_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
[root ~]# rpm -q selinux-policy
selinux-policy-3.13.1-219.el7.noarch
[root ~]# rpm -q nfs-utils
nfs-utils-1.3.0-0.60.el7.x86_64
[root ~]# 


Expected results:
No avc denied warning

Additional info:
N/A

Comment 2 Lukas Vrabec 2018-08-29 10:41:50 UTC

HI, 

If you remove this pid file by hand. (# rm -rf /var/run/rpc.statd.pid) and reproduce the scenario, is it working? 

THanks,
Lukas.

Comment 3 Milos Malik 2018-08-29 19:39:07 UTC

The /var/run/rpc.statd.pid file is mislabeled. Following command should fix it:

# restorecon -v /var/run/rpc.statd.pid

I'm interested in how it got mislabeled.

Comment 4 Yongcheng Yang 2018-08-30 01:31:19 UTC

Hi Lukas and Milos,

Thanks for your suggestions.

Both "rm -f" and "restorecon -v" with file "/var/run/rpc.statd.pid" can fix this issue!

#########################
# Without any workaround
#########################
[root~]# echo > /var/log/audit/audit.log
[root~]# systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket
Created symlink from /etc/systemd/system/rpc-statd.service to /dev/null.
Created symlink from /etc/systemd/system/rpcbind.service to /dev/null.
Created symlink from /etc/systemd/system/rpcbind.socket to /dev/null.
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:11 /var/run/rpc.statd.pid
[root~]# systemctl restart nfs
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:11 /var/run/rpc.statd.pid
[root~]# mount localhost:/export_test /mnt -o vers=3
Failed to start rpc-statd.service: Unit is masked.
mount.nfs: rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd.
mount.nfs: an incorrect mount option was specified
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:12 /var/run/rpc.statd.pid
[root~]# systemctl unmask --now rpc-statd.service rpcbind.service rpcbind.socket
Removed symlink /etc/systemd/system/rpc-statd.service.
Removed symlink /etc/systemd/system/rpcbind.service.
Removed symlink /etc/systemd/system/rpcbind.socket.
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:12 /var/run/rpc.statd.pid
[root~]# cat /var/log/audit/audit.log | grep denied
[root~]# systemctl start rpcbind
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:12 /var/run/rpc.statd.pid
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root~]# cat /var/log/audit/audit.log | grep denied
[root~]# systemctl start nfs
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
ls: cannot access /var/run/rpc.statd.pid: No such file or directory
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root~]# cat /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1535591621.609:1023): avc:  denied  { unlink } for  pid=4716 comm="rpc.statd" name="rpc.statd.pid" dev="tmpfs" ino=138007 scontext=system_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1535591621.609:1024): avc:  denied  { write } for  pid=4716 comm="rpc.statd" name="rpc.statd.pid" dev="tmpfs" ino=138007 scontext=system_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
[root~]# 


#########################
# Removing rpc.statd.pid
#########################
[root~]# echo > /var/log/audit/audit.log
[root~]# systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket
Created symlink from /etc/systemd/system/rpc-statd.service to /dev/null.
Created symlink from /etc/systemd/system/rpcbind.service to /dev/null.
Created symlink from /etc/systemd/system/rpcbind.socket to /dev/null.
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:19 /var/run/rpc.statd.pid
[root~]# systemctl restart nfs
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:19 /var/run/rpc.statd.pid
[root~]# mount localhost:/export_test /mnt -o vers=3
Failed to start rpc-statd.service: Unit is masked.
mount.nfs: rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd.
mount.nfs: an incorrect mount option was specified
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:21 /var/run/rpc.statd.pid
[root~]# systemctl unmask --now rpc-statd.service rpcbind.service rpcbind.socket
Removed symlink /etc/systemd/system/rpc-statd.service.
Removed symlink /etc/systemd/system/rpcbind.service.
Removed symlink /etc/systemd/system/rpcbind.socket.
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:21 /var/run/rpc.statd.pid
[root~]# systemctl start rpcbind
[root~]# cat /var/log/audit/audit.log | grep denied
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:21 /var/run/rpc.statd.pid
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root~]# rm /var/run/rpc.statd.pid    <<<<<<<<<<<<<<<<
rm: remove regular empty file ‘/var/run/rpc.statd.pid’? y
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
ls: cannot access /var/run/rpc.statd.pid: No such file or directory
[root~]# systemctl start nfs
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 5 Aug 29 21:22 /var/run/rpc.statd.pid
5071
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root~]# cat /var/log/audit/audit.log | grep denied
[root~]# 
[root~]# systemctl status rpc-statd
● rpc-statd.service - NFS status monitor for NFSv2/3 locking.
   Loaded: loaded (/usr/lib/systemd/system/rpc-statd.service; static; vendor preset: disabled)
   Active: active (running) since Wed 2018-08-29 21:22:08 EDT; 2min 41s ago
...

#########################
# Executing "restorecon -v"
#########################
[root~]# echo > /var/log/audit/audit.log
[root~]# systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket
Created symlink from /etc/systemd/system/rpc-statd.service to /dev/null.
Created symlink from /etc/systemd/system/rpcbind.service to /dev/null.
Created symlink from /etc/systemd/system/rpcbind.socket to /dev/null.
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
ls: cannot access /var/run/rpc.statd.pid: No such file or directory
[root~]# systemctl restart nfs
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
ls: cannot access /var/run/rpc.statd.pid: No such file or directory
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root~]# mount localhost:/export_test /mnt -o vers=3
Failed to start rpc-statd.service: Unit is masked.
mount.nfs: rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd.
mount.nfs: an incorrect mount option was specified
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:15 /var/run/rpc.statd.pid
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root~]# systemctl unmask --now rpc-statd.service rpcbind.service rpcbind.socket
Removed symlink /etc/systemd/system/rpc-statd.service.
Removed symlink /etc/systemd/system/rpcbind.service.
Removed symlink /etc/systemd/system/rpcbind.socket.
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:15 /var/run/rpc.statd.pid
[root~]# systemctl start rpcbind
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:15 /var/run/rpc.statd.pid
[root~]# cat /var/log/audit/audit.log | grep denied
[root~]# restorecon -v /var/run/rpc.statd.pid    <<<<<<<<<<
restorecon reset /run/rpc.statd.pid context unconfined_u:object_r:var_run_t:s0->unconfined_u:object_r:rpcd_var_run_t:s0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 0 Aug 29 21:15 /var/run/rpc.statd.pid
[root~]# systemctl start nfs
[root~]# ll /var/run/rpc.statd.pid ; [ $? -eq 0 ] && cat /var/run/rpc.statd.pid
-rw-r--r--. 1 rpcuser rpcuser 5 Aug 29 21:18 /var/run/rpc.statd.pid
4868
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root~]# cat /var/log/audit/audit.log | grep denied
[root~]# systemctl status rpc-statd
● rpc-statd.service - NFS status monitor for NFSv2/3 locking.
   Loaded: loaded (/usr/lib/systemd/system/rpc-statd.service; static; vendor preset: disabled)
   Active: active (running) since Wed 2018-08-29 21:18:30 EDT; 26s ago
...

Comment 5 Lukas Vrabec 2018-08-30 07:48:05 UTC

Can I close this bug?

Comment 6 Yongcheng Yang 2018-08-30 08:06:38 UTC

So is this not a bug? Or something others' problem?

I thought comment #2 and comment #3 are just workaround before.

Shouldn't we go to investigate why "/var/run/rpc.statd.pid" got mislabeled?

Comment 7 Milos Malik 2018-08-30 08:08:13 UTC

(In reply to Yongcheng Yang from comment #6)
> So is this not a bug? Or something others' problem?
> 
> I thought comment #2 and comment #3 are just workaround before.
> 
> Shouldn't we go to investigate why "/var/run/rpc.statd.pid" got mislabeled?

I agree. We should find out.

Comment 9 Zdenek Pytela 2019-02-28 19:17:02 UTC

This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Note You need to log in before you can comment on or make changes to this bug.