With Selinux runing on enforcing mode, NFS statd cannot start. However, if I turn Selinux to permissive mode, there is no problem. Paul
The messages that I get are: ---------------- Summary: SELinux is preventing the rpcbind from using potentially mislabeled files (./services). Detailed Description: SELinux has denied rpcbind access to potentially mislabeled file(s) (./services). This means that SELinux will not allow rpcbind to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want rpcbind to access this files, you need to relabel them using restorecon -v './services'. You might want to relabel the entire directory using restorecon -R -v '.'. Additional Information: Source Context unconfined_u:system_r:rpcbind_t:s0 Target Context unconfined_u:object_r:rpm_script_tmp_t:s0 Target Objects ./services [ file ] Source rpcbind Source Path /sbin/rpcbind Port <Unknown> Host mypc Source RPM Packages rpcbind-0.1.4-16.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-84.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name mypc Platform Linux mypc 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug 4 14:08:11 EDT 2008 i686 i686 Alert Count 73 First Seen Sat 06 Sep 2008 10:36:32 PM WEST Last Seen Sun 07 Sep 2008 10:42:52 AM WEST Local ID 1107afa5-a33e-457b-b65c-e7fec26fb64d Line Numbers Raw Audit Messages host=mypc type=AVC msg=audit(1220780572.503:49): avc: denied { read } for pid=4150 comm="rpcbind" name="services" dev=dm-0 ino=11649032 scontext=unconfined_u:system_r:rpcbind_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file host=mypc type=SYSCALL msg=audit(1220780572.503:49): arch=40000003 syscall=5 success=no exit=-13 a0=30ef06 a1=80000 a2=1b6 a3=80000 items=0 ppid=4149 pid=4150 auid=500 uid=32 gid=0 euid=32 suid=32 fsuid=32 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="rpcbind" exe="/sbin/rpcbind" subj=unconfined_u:system_r:rpcbind_t:s0 key=(null) ---------------- Paul
The problem was solved with a relabeling. So, it is not a bug, and I am going to close it. Paul
This is caused by a bug in the post install of the vmware package. vmware edits the /etc/services file in /tmp in the post install of rpm and then mv's it to /etc. This ends up labeling the file rpm_script_tmp_t. restorecon /etc/services would fix the problem.
I get this error as well and I have no VM-Ware installed on my system (except for this package which seems to get pulled in somehow: xorg-x11-drv-vmware-10.16.0-1.fc9.i386). The end result is the same: ntp statd fails to start. Here is the SE Linux alert detail: Summary: SELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t. Detailed Description: SELinux denied access requested by rpcbind. It is not expected that this access is required by rpcbind and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:rpcbind_t:s0 Target Context unconfined_u:system_r:rpcbind_t:s0 Target Objects None [ capability ] Source rpcbind Source Path /sbin/rpcbind Port <Unknown> Host achiles.fernandes.net Source RPM Packages rpcbind-0.1.7-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-111.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name achiles.fernandes.net Platform Linux achiles.fernandes.net 2.6.27.5-41.fc9.i686 #1 SMP Thu Nov 13 20:52:14 EST 2008 i686 i686 Alert Count 1 First Seen Sun 14 Dec 2008 11:49:59 AM GMT Last Seen Sun 14 Dec 2008 11:49:59 AM GMT Local ID 14d460c6-e46a-4766-af5c-d34997e8a0ea Line Numbers Raw Audit Messages node=achiles.fernandes.net type=AVC msg=audit(1229255399.217:38): avc: denied { setgid } for pid=7637 comm="rpcbind" capability=6 scontext=unconfined_u:system_r:rpcbind_t:s0 tcontext=unconfined_u:system_r:rpcbind_t:s0 tclass=capability node=achiles.fernandes.net type=SYSCALL msg=audit(1229255399.217:38): arch=40000003 syscall=214 success=no exit=-1 a0=20 a1=2db9bc a2=2105b0 a3=bfe32b50 items=0 ppid=7636 pid=7637 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="rpcbind" exe="/sbin/rpcbind" subj=unconfined_u:system_r:rpcbind_t:s0 key=(null)
Latest selinux policy should fix this.