Description of problem: Cannot set up NFS server and Cockpit tests using NFS server are now failing. This has problem started with a fedora-34 image refresh, so perhaps systemd update or kernel update might cause it. Version-Release number of selected component (if applicable): $ uname -r 5.11.8-300.fc34.x86_64 $ systemctl --version systemd 248 (v248~rc4-2.fc34) +PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified How reproducible: Steps to Reproduce: 1. Have a fresh fresh fedora 34 2. systemctl start nfs-server (content of /etc/exports doesn't seem to affect the bug) Actual results: NFS server is not set up. nfs-mountd.service log says: Mar 25 13:12:43 fedora systemd[1]: Starting NFS Mount Daemon... Mar 25 13:12:44 fedora systemd[1]: Started NFS Mount Daemon. Mar 25 13:12:44 fedora rpc.mountd[2814]: Unable to watch /proc/fs/nfsd/clients: Permission denied Mar 25 13:12:44 fedora systemd[1]: nfs-mountd.service: Main process exited, code=exited, status=1/FAILURE Mar 25 13:12:44 fedora systemd[1]: nfs-mountd.service: Failed with result 'exit-code'. nfs-server.service log says: Mar 25 13:12:44 fedora systemd[1]: Starting NFS server and services... Mar 25 13:12:44 fedora rpc.nfsd[2816]: rpc.nfsd: Unable to request RDMA services: Protocol not supported Mar 25 13:12:44 fedora systemd[1]: Finished NFS server and services. Expected results: NFS server will be set up succesfully Additional info:
Also here is part of journalctl where it confirms that mountd failure: Mar 25 16:16:51 fedora audit[2484]: AVC avc: denied { watch } for pid=2484 comm="rpc.mountd" path="/proc/fs/nfsd/clients" dev="nfsd" ino=113 scontext=system_u:system_r:nfsd_t:s0 tc> Full log: Mar 25 16:16:51 fedora systemd[1]: Starting RPC Bind... Mar 25 16:16:51 fedora audit[2479]: AVC avc: denied { name_bind } for pid=2479 comm="rpcbind" src=62785 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserve> Mar 25 16:16:51 fedora audit[2479]: SYSCALL arch=c000003e syscall=49 success=no exit=-13 a0=a a1=7fff57a5c1d0 a2=10 a3=b5f2 items=0 ppid=1 pid=2479 auid=4294967295 uid=0 gid=0 euid=0 > Mar 25 16:16:51 fedora audit: PROCTITLE proctitle=2F7573722F62696E2F72706362696E64002D77002D66 Mar 25 16:16:51 fedora rpcbind[2479]: rpcbind: svc_tli_create: could not bind to anonymous port Mar 25 16:16:51 fedora systemd[1]: Started RPC Bind. Mar 25 16:16:51 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpcbind comm="systemd" exe="/usr/lib/systemd/syste> Mar 25 16:16:51 fedora rpc.statd[2480]: Version 2.5.3 starting Mar 25 16:16:51 fedora rpc.statd[2480]: Flags: TI-RPC Mar 25 16:16:51 fedora rpc.statd[2480]: Initializing NSM state Mar 25 16:16:51 fedora systemd[1]: Started NFS status monitor for NFSv2/3 locking.. Mar 25 16:16:51 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpc-statd comm="systemd" exe="/usr/lib/systemd/sys> Mar 25 16:16:51 fedora kernel: Installing knfsd (copyright (C) 1996 okir.de). Mar 25 16:16:51 fedora systemd[1]: Mounted NFSD configuration filesystem. Mar 25 16:16:51 fedora systemd[1]: Starting NFS Mount Daemon... Mar 25 16:16:51 fedora systemd[1]: Starting NFSv4 Client Tracking Daemon... Mar 25 16:16:51 fedora systemd[1]: Started NFSv4 Client Tracking Daemon. Mar 25 16:16:51 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfsdcld comm="systemd" exe="/usr/lib/systemd/syste> Mar 25 16:16:51 fedora systemd[1]: Started NFS Mount Daemon. Mar 25 16:16:51 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-mountd comm="systemd" exe="/usr/lib/systemd/sy> Mar 25 16:16:51 fedora systemd[1]: Starting NFS server and services... Mar 25 16:16:51 fedora audit[2484]: AVC avc: denied { watch } for pid=2484 comm="rpc.mountd" path="/proc/fs/nfsd/clients" dev="nfsd" ino=113 scontext=system_u:system_r:nfsd_t:s0 tc> Mar 25 16:16:51 fedora audit[2484]: SYSCALL arch=c000003e syscall=254 success=no exit=-13 a0=a a1=560b36875a20 a2=300 a3=0 items=0 ppid=1 pid=2484 auid=4294967295 uid=0 gid=0 euid=0 s> Mar 25 16:16:51 fedora audit: PROCTITLE proctitle="/usr/sbin/rpc.mountd" Mar 25 16:16:51 fedora rpc.mountd[2484]: Unable to watch /proc/fs/nfsd/clients: Permission denied Mar 25 16:16:51 fedora systemd[1]: nfs-mountd.service: Main process exited, code=exited, status=1/FAILURE Mar 25 16:16:51 fedora systemd[1]: nfs-mountd.service: Failed with result 'exit-code'. Mar 25 16:16:51 fedora audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-mountd comm="systemd" exe="/usr/lib/systemd/sys> Mar 25 16:16:51 fedora rpc.nfsd[2486]: rpc.nfsd: Unable to request RDMA services: Protocol not supported Mar 25 16:16:51 fedora kernel: NFSD: Using nfsdcld client tracking operations. Mar 25 16:16:51 fedora kernel: NFSD: no clients to reclaim, skipping NFSv4 grace period (net f0000098) Mar 25 16:16:51 fedora systemd[1]: Reloading GSSAPI Proxy Daemon. Mar 25 16:16:51 fedora systemd[1]: Reloaded GSSAPI Proxy Daemon. Mar 25 16:16:51 fedora systemd[1]: Finished NFS server and services. Mar 25 16:16:51 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-server comm="systemd" exe="/usr/lib/systemd/sy> Mar 25 16:17:10 fedora kernel: kauditd_printk_skb: 12 callbacks suppressed Mar 25 16:17:10 fedora kernel: audit: type=1400 audit(1616689030.511:520): avc: denied { integrity } for pid=825 comm="pmdakvm" lockdown_reason="debugfs access" scontext=system_u:s> Mar 25 16:17:10 fedora audit[825]: AVC avc: denied { integrity } for pid=825 comm="pmdakvm" lockdown_reason="debugfs access" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=syste> Mar 25 16:17:10 fedora audit[825]: SYSCALL arch=c000003e syscall=257 success=no exit=-1 a0=ffffff9c a1=7ffe552c5f90 a2=0 a3=0 items=0 ppid=813 pid=825 auid=4294967295 uid=0 gid=0 euid> Mar 25 16:17:10 fedora kernel: audit: type=1300 audit(1616689030.511:520): arch=c000003e syscall=257 success=no exit=-1 a0=ffffff9c a1=7ffe552c5f90 a2=0 a3=0 items=0 ppid=813 pid=825 > Mar 25 16:17:10 fedora audit: PROCTITLE proctitle=2F7661722F6C69622F7063702F706D6461732F6B766D2F706D64616B766D002D64003935 Mar 25 16:17:10 fedora kernel: audit: type=1327 audit(1616689030.511:520): proctitle=2F7661722F6C69622F7063702F706D6461732F6B766D2F706D64616B766D002D64003935
That is hardly systemd's fault. Moving to SELinux policy, possibly it's also in nfs-utils.
This should be fixed with selinux-policy-3.14.7-27.fc34 which is now in updates-testing.
We have not seen this since March, so confirmed as fixed. Thank you!