Description of problem: With today's nfs-utils 1:1.1.0-4.fc7 update, nfs is broken under selinux. During upgrade I saw the following: Oct 30 05:21:00 iago kernel: audit(1193743260.159:17): avc: denied { write } for pid=28714 comm="nscd" name="" dev=pipefs ino=10164880 scontext=user_u:system_r:nscd_t:s0 tcontext=user_u:system_ r:rpm_t:s0 tclass=fifo_file Oct 30 05:21:00 iago kernel: audit(1193743260.164:18): avc: denied { write } for pid=28715 comm="nscd" name="" dev=pipefs ino=10164880 scontext=user_u:system_r:nscd_t:s0 tcontext=user_u:system_ r:rpm_t:s0 tclass=fifo_file Oct 30 05:21:00 iago kernel: audit(1193743260.190:19): avc: denied { write } for pid=28716 comm="semanage" name="" dev=pipefs ino=10164880 scontext=user_u:system_r:semanage_t:s0 tcontext=user_u :system_r:rpm_t:s0 tclass=fifo_file Oct 30 05:21:00 iago kernel: audit(1193743260.977:20): avc: denied { write } for pid=28717 comm="nscd" name="" dev=pipefs ino=10164880 scontext=user_u:system_r:nscd_t:s0 tcontext=user_u:system_ r:rpm_t:s0 tclass=fifo_file Oct 30 05:21:00 iago kernel: audit(1193743260.980:21): avc: denied { write } for pid=28718 comm="nscd" name="" dev=pipefs ino=10164880 scontext=user_u:system_r:nscd_t:s0 tcontext=user_u:system_ r:rpm_t:s0 tclass=fifo_file Oct 30 05:21:07 iago kernel: audit(1193743267.392:22): avc: denied { write } for pid=28788 comm="rpc.statd" name="" dev=pipefs ino=10164880 scontext=user_u:system_r:rpcd_t:s0 tcontext=user_u:sy stem_r:rpm_t:s0 tclass=fifo_file Oct 30 05:22:06 iago kernel: audit(1193743326.166:23): avc: denied { write } for pid=28874 comm="rpc.idmapd" name="" dev=pipefs ino=10164880 scontext=user_u:system_r:rpcd_t:s0 tcontext=user_u:s ystem_r:rpm_t:s0 tclass=fifo_file Oct 30 05:22:06 iago rpc.statd[28789]: Caught signal 15, un-registering and exiting. Oct 30 05:22:06 iago kernel: audit(1193743326.650:24): avc: denied { write } for pid=28923 comm="rpc.statd" name="" dev=pipefs ino=10164880 scontext=user_u:system_r:rpcd_t:s0 tcontext=user_u:sy stem_r:rpm_t:s0 tclass=fifo_file These are probably just output going to the yum-cron output. This is the kicker: Oct 30 05:22:47 iago kernel: audit(1193743367.282:25): avc: denied { getattr } for pid=29019 comm="start-statd" name="rpc.statd" dev=dm-0 ino=12451 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:rpcd_exec_t:s0 tclass=file Got that every mount attempt. Changed to permissive mode and then got: Oct 30 07:18:42 iago kernel: audit(1193750322.551:257): enforcing=0 old_enforcing=1 auid=4294967295 Oct 30 07:18:42 iago dbus: Can't send to audit system: USER_AVC avc: received setenforce notice (enforcing=0) : exe="/bin/dbus-daemon" (sauid=577, hostname=?, addr=?, terminal=?) Oct 30 07:18:42 iago kernel: audit(1193750322.555:258): user pid=1787 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received setenforce notice (enforcing=0) Oct 30 07:18:42 iago kernel: : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' Oct 30 07:18:47 iago kernel: audit(1193750327.410:259): avc: denied { getattr } for pid=2881 comm="start-statd" name="rpc.statd" dev=dm-0 ino=12451 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:rpcd_exec_t:s0 tclass=file Oct 30 07:18:47 iago kernel: audit(1193750327.410:260): avc: denied { execute } for pid=2881 comm="start-statd" name="rpc.statd" dev=dm-0 ino=12451 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:rpcd_exec_t:s0 tclass=file Oct 30 07:18:47 iago kernel: audit(1193750327.410:261): avc: denied { read } for pid=2881 comm="start-statd" name="rpc.statd" dev=dm-0 ino=12451 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:rpcd_exec_t:s0 tclass=file Oct 30 07:18:47 iago kernel: audit(1193750327.411:262): avc: denied { execute_no_trans } for pid=2881 comm="start-statd" name="rpc.statd" dev=dm-0 ino=12451 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:rpcd_exec_t:s0 tclass=file Oct 30 07:18:47 iago rpc.statd[2882]: Version 1.1.0 Starting Oct 30 07:18:47 iago rpc.statd[2882]: Flags: Oct 30 07:18:47 iago kernel: audit(1193750327.415:263): avc: denied { write } for pid=2882 comm="rpc.statd" name="run" dev=dm-1 ino=20481 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir Oct 30 07:18:47 iago kernel: audit(1193750327.415:264): avc: denied { remove_name } for pid=2882 comm="rpc.statd" name="rpc.statd.pid" dev=dm-1 ino=20507 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir Oct 30 07:18:47 iago kernel: audit(1193750327.415:265): avc: denied { unlink } for pid=2882 comm="rpc.statd" name="rpc.statd.pid" dev=dm-1 ino=20507 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:rpcd_var_run_t:s0 tclass=file Oct 30 07:18:47 iago kernel: audit(1193750327.416:266): avc: denied { add_name } for pid=2882 comm="rpc.statd" name="rpc.statd.pid" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir Oct 30 07:18:47 iago kernel: audit(1193750327.416:267): avc: denied { create } for pid=2882 comm="rpc.statd" name="rpc.statd.pid" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file Oct 30 07:18:47 iago kernel: audit(1193750327.416:268): avc: denied { getattr } for pid=2882 comm="rpc.statd" name="rpc.statd.pid" dev=dm-1 ino=20539 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file Oct 30 07:18:47 iago kernel: audit(1193750327.416:269): avc: denied { write } for pid=2882 comm="rpc.statd" name="rpc.statd.pid" dev=dm-1 ino=20539 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file Oct 30 07:18:47 iago kernel: audit(1193750327.517:270): avc: denied { read } for pid=2882 comm="rpc.statd" name="earth.cora.nwra.com" dev=dm-1 ino=16523 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=file Oct 30 07:18:47 iago kernel: audit(1193750327.709:271): avc: denied { setattr } for pid=2882 comm="rpc.statd" name="rpc.statd.pid" dev=dm-1 ino=20539 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file Version-Release number of selected component (if applicable): selinux-policy-2.6.4-48.fc7 How reproducible: All of my F7 machines.
There's also a rpcbind update in the mix too.
There were no changes to rpc.statd in that last update. It seems all the daemon is trying to do is create its pid file, something it has done for a very long time. What changed in the policy that no longer allows rpc.statd to create a file where its always created it?
*** Bug 358511 has been marked as a duplicate of this bug. ***
THe change that is broken in this release is that mount command is now execing rpc.mountd which was not happening before. SELinux policy has to be updated to allow mount_t to execute rpc.mountd and transition that process to the rpcd_t which would then be allowed to write the pid file. selinux-policy-2.6.4-51.fc7 Has this transition and should fix this problem.