Bug 167235 - rpc.mountd failed to start after upgrade
rpc.mountd failed to start after upgrade
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
5
All Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-31 15:45 EDT by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 2.4.5-4.fc5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-12-14 17:07:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
I want you to try to load this policy module (20.82 KB, application/octet-stream)
2006-10-24 08:49 EDT, Daniel Walsh
no flags Details
Can you try this one? (140 bytes, application/octet-stream)
2006-10-24 11:28 EDT, Daniel Walsh
no flags Details
Can you try this one? (140 bytes, application/octet-stream)
2006-10-24 11:56 EDT, Daniel Walsh
no flags Details

  None (edit)
Description Orion Poplawski 2005-08-31 15:45:39 EDT
Description of problem:
During the recent upate to nfs-utils-1.0.7-11 rpc.mountd failed to start on a
number of machines with the following errors:

Aug 31 04:44:22 aspen rpc.mountd: Caught signal 15, un-registering and exiting.
Aug 31 04:44:26 aspen kernel: nfsd: last server has exited
Aug 31 04:44:26 aspen kernel: nfsd: unexporting all filesystems
Aug 31 04:44:26 aspen kernel: audit(1125485066.710:334): avc:  denied  { read }
for  pid=
28215 comm="rpc.rquotad" name="[3719671]" dev=pipefs ino=3719671
scontext=system_u:system
_r:rpcd_t tcontext=system_u:system_r:unconfined_t tclass=fifo_file
Aug 31 04:44:26 aspen kernel: audit(1125485066.710:335): avc:  denied  { write }
for  pid
=28215 comm="rpc.rquotad" name="[3717144]" dev=pipefs ino=3717144
scontext=system_u:syste
m_r:rpcd_t tcontext=system_u:system_r:unconfined_t tclass=fifo_file
Aug 31 04:44:27 aspen portmap[28228]: connect from 127.0.0.1 to set(mountd):
request from
 unprivileged port
Aug 31 04:44:27 aspen rpc.mountd: unable to register (mountd, 3, tcp).

I suspect the rpc.rquotad issues are separate.


How reproducible:
maybe 25%-50% of machines.


Perhaps related to bug #155940.
Comment 1 Steve Dickson 2005-09-01 07:02:19 EDT
Are you doing a lot of NFS mounts at one time (via autofs)?
Comment 2 Orion Poplawski 2005-09-20 18:04:29 EDT
I guess I don't really understand why this would affect rpc.mountd startup. 
I've also seen it fail to start at boot.

Anyways, we have 4 different autofs NIS maps (/opt, /home, /data, /data4).  But
it's generally just mounting one dir at a time.
Comment 3 Orion Poplawski 2006-01-11 12:35:05 EST
Okay, this is getting unbearable.  I would say that rpm.mountd fails to start at
boot maybe 90% of the time.  Please get a handle on this and fix it!  This might
be a duplicate of bug 166918.
Comment 4 Orion Poplawski 2006-10-13 15:16:26 EDT
Dan - 

 I think this is the same issue as with ypbind in bug #155940 and I'm still
seeing it with selinux-policy-targeted-2.3.7-2.fc5.  Does that seem correct?
Comment 5 Orion Poplawski 2006-10-23 17:25:16 EDT
With enable audit turned on, here's what I turned up:

Oct 23 15:12:02 antero kernel: audit(1161637922.041:447): avc:  denied  {
name_bind } for  pid=5514 comm="rpc.mountd" src=631
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ipp_port_t:s0
tclass=udp_socket
Oct 23 15:13:27 antero kernel: audit(1161638007.878:713): avc:  denied  {
name_bind } for  pid=6787 comm="rpc.mountd" src=631
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ipp_port_t:s0
tclass=udp_socket
Oct 23 15:13:27 antero kernel: audit(1161638007.882:714): avc:  denied  {
name_bind } for  pid=6787 comm="rpc.mountd" src=636
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0
tclass=udp_socket
Oct 23 15:14:26 antero kernel: audit(1161638066.396:896): avc:  denied  {
name_bind } for  pid=7653 comm="rpc.mountd" src=631
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ipp_port_t:s0
tclass=udp_socket
Oct 23 15:14:26 antero kernel: audit(1161638066.416:897): avc:  denied  {
name_bind } for  pid=7653 comm="rpc.mountd" src=636
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0
tclass=udp_socket
Oct 23 15:15:09 antero kernel: audit(1161638109.040:1028): avc:  denied  {
name_bind } for  pid=8278 comm="rpc.mountd" src=847
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0
tclass=udp_socket
Oct 23 15:16:08 antero kernel: audit(1161638168.010:1214): avc:  denied  {
name_bind } for  pid=9127 comm="rpc.mountd" src=847
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0
tclass=udp_socket
Oct 23 15:16:29 antero kernel: audit(1161638189.276:1280): avc:  denied  {
name_bind } for  pid=9447 comm="rpc.mountd" src=750
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:kerberos_port_t:s0
tclass=udp_socket
Oct 23 15:17:06 antero kernel: audit(1161638226.440:1397): avc:  denied  {
name_bind } for  pid=9994 comm="rpc.mountd" src=847
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0
tclass=udp_socket
Oct 23 15:17:06 antero kernel: audit(1161638226.604:1398): avc:  denied  {
name_bind } for  pid=9994 comm="rpc.mountd" src=873
scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:rsync_port_t:s0
tclass=udp_socket

these all resulted in errors like:

Oct 23 15:17:06 antero portmap[9996]: connect from 127.0.0.1 to set(mountd):
request from unprivileged port
Oct 23 15:17:06 antero mountd[9994]: unable to register (mountd, 3, udp).

and mountd not coming up.
Comment 6 Daniel Walsh 2006-10-24 08:49:10 EDT
Created attachment 139223 [details]
I want you to try to load this policy module

semodule -i rpcmountd.pp

Now try rpc.mountd
Comment 7 Orion Poplawski 2006-10-24 10:56:02 EDT
Version mismatch?

# semodule -i rpcmountd.pp
libsepol.permission_copy_callback: Module rpcmountd depends on permission
flow_out in class packet, not satisfied
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!


I built my own from the above avc's and audit2allow and that worked.

Comment 8 Daniel Walsh 2006-10-24 11:28:11 EDT
Created attachment 139234 [details]
Can you try this one?

Try this one, as this is what I want to add to policy.

You need to put this te file in a directory by itself and execute
make -f /usr/share/selinux/devel/Makefile
Comment 9 Daniel Walsh 2006-10-24 11:56:01 EDT
Created attachment 139236 [details]
Can you try this one?

Try this one, as this is what I want to add to policy.

You need to put this te file in a directory by itself and execute
make -f /usr/share/selinux/devel/Makefile
Comment 10 Orion Poplawski 2006-10-24 14:11:42 EDT
That works for me, and looks just like what fixed ypbind.
Comment 11 Daniel Walsh 2006-10-24 15:51:01 EDT
Fixed in selinux-policy-2.4.1-3
Comment 12 Orion Poplawski 2006-12-14 17:07:43 EST
Appears fixed in 2.4.5-4.fc5

Note You need to log in before you can comment on or make changes to this bug.