Description of problem: Using nfs-utils-1.2.4-7.fc16, when I start the nfs server with the following command 'systemctl start nfs-server.service' the following commands are logged to /var/log/messages. rpc.nfsd[961]: rpc.nfsd: unable to bind inet TCP socket: errno 13 (Permission denied) rpc.nfsd[961]: rpc.nfsd: unable to bind inet6 TCP socket: errno 13 (Permission denied) rpc.nfsd[961]: rpc.nfsd: unable to set any sockets for nfsd When I put selinux in permissive mode, the server comes up as expected. Version-Release number of selected component (if applicable): selinux-policy-3.10.0-18.fc16.noarch libselinux-2.0.102-6.fc16.x86_64 libselinux-utils-2.0.102-6.fc16.x86_64 selinux-policy-targeted-3.10.0-18.fc16.noarch libselinux-python-2.0.102-6.fc16.x86_64 nfs-utils-1.2.4-7.fc16 How reproducible: 100% Steps to Reproduce: 1.systemctl start nfs-server.service 2. 3.
AVC msgs would be fine.
*** This bug has been marked as a duplicate of bug 728307 ***
Shouldn't this have been a duplicate of bug 732968 rather than bug 728307?
I'm not sure either is correct. 732968 is a different bug - Steve specifically says at the end of it that he hits an SELinux issue which he'll 'file as a separate bug', i.e., this one - and 728307 is claimed to be fixed, whereas this is still extant, I just hit it with current nfs-utils and systemd and selinux-policy. Re-opening this bug, for now.
as stated above, I can reproduce with: [root@adam images]# rpm -q nfs-utils systemd selinux-policy-targeted nfs-utils-1.2.4-8.fc16.x86_64 systemd-36-3.fc16.x86_64 selinux-policy-targeted-3.10.0-32.fc16.noarch I think the system is actually booted with systemd-35-1, not 36-3, as I've been up for a while. But #728307 was claimed to be fixed in 35-1.
I don't get any AVCs, in /var/log/audit.log , sealert, or /var/log/messages . But the bug definitely goes away if you do setenforce Permissive. It's trivial to reproduce - just set any valid /etc/exports , ensure nfs-utils is installed, and run 'systemctl start nfs-server.service' .
> I'm not sure either is correct. Um, neither am I. I wonder what I was thinking. I filed a bug of my own at the time, bug 739946. Maybe I should have added the information to this one instead.
*** This bug has been marked as a duplicate of bug 739946 ***
Adam, could you test it with the latest policy. It looks ok and working.
If it doesn't work for you, please could you test it with # semodule -DB
still doesn't work. [root@adam adamw]# getenforce Enforcing [root@adam adamw]# systemctl start nfs-server.service Job failed. See system logs and 'systemctl status' for details. [root@adam adamw]# man semodule [root@adam adamw]# semodule -DB [root@adam adamw]# systemctl start nfs-server.service Job failed. See system logs and 'systemctl status' for details. [root@adam adamw]# setenforce Permissive [root@adam adamw]# systemctl start nfs-server.service [root@adam adamw]# rpm -q selinux-policy selinux-policy-3.10.0-32.fc16.noarch
Adam, please try to re-test it with the latest build http://koji.fedoraproject.org/koji/buildinfo?buildID=266665
Looks good!
selinux-policy-3.10.0-38.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/FEDORA-2011-13775
selinux-policy-3.10.0-38.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.