Bug 733127 - SELinux prevents the NFS server from coming up.
Summary: SELinux prevents the NFS server from coming up.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-24 20:20 UTC by Steve Dickson
Modified: 2011-10-09 19:34 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.10.0-38.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-09 19:34:29 UTC


Attachments (Terms of Use)

Description Steve Dickson 2011-08-24 20:20:56 UTC
Description of problem:
Using nfs-utils-1.2.4-7.fc16, when I start the nfs server with
the following command 'systemctl start nfs-server.service' the
following commands are logged to /var/log/messages.

rpc.nfsd[961]: rpc.nfsd: unable to bind inet TCP socket: errno 13 (Permission denied)
rpc.nfsd[961]: rpc.nfsd: unable to bind inet6 TCP socket: errno 13 (Permission denied)
rpc.nfsd[961]: rpc.nfsd: unable to set any sockets for nfsd

When I put selinux in permissive mode, the server comes up
as expected.

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-18.fc16.noarch
libselinux-2.0.102-6.fc16.x86_64
libselinux-utils-2.0.102-6.fc16.x86_64
selinux-policy-targeted-3.10.0-18.fc16.noarch
libselinux-python-2.0.102-6.fc16.x86_64
nfs-utils-1.2.4-7.fc16

How reproducible:
100%

Steps to Reproduce:
1.systemctl start nfs-server.service
2.
3.

Comment 1 Miroslav Grepl 2011-08-25 09:29:01 UTC
AVC msgs would be fine.

Comment 2 Miroslav Grepl 2011-08-25 10:57:36 UTC

*** This bug has been marked as a duplicate of bug 728307 ***

Comment 3 Göran Uddeborg 2011-09-20 12:35:16 UTC
Shouldn't this have been a duplicate of bug 732968 rather than bug 728307?

Comment 4 Adam Williamson 2011-09-26 19:48:29 UTC
I'm not sure either is correct. 732968 is a different bug - Steve specifically says at the end of it that he hits an SELinux issue which he'll 'file as a separate bug', i.e., this one - and 728307 is claimed to be fixed, whereas this is still extant, I just hit it with current nfs-utils and systemd and selinux-policy.

Re-opening this bug, for now.

Comment 5 Adam Williamson 2011-09-26 19:49:53 UTC
as stated above, I can reproduce with:

[root@adam images]# rpm -q nfs-utils systemd selinux-policy-targeted
nfs-utils-1.2.4-8.fc16.x86_64
systemd-36-3.fc16.x86_64
selinux-policy-targeted-3.10.0-32.fc16.noarch

I think the system is actually booted with systemd-35-1, not 36-3, as I've been up for a while. But #728307 was claimed to be fixed in 35-1.

Comment 6 Adam Williamson 2011-09-26 19:51:01 UTC
I don't get any AVCs, in /var/log/audit.log , sealert, or /var/log/messages . But the bug definitely goes away if you do setenforce Permissive. It's trivial to reproduce - just set any valid /etc/exports , ensure nfs-utils is installed, and run 'systemctl start nfs-server.service' .

Comment 7 Göran Uddeborg 2011-09-26 20:57:54 UTC
> I'm not sure either is correct.

Um, neither am I.  I wonder what I was thinking.

I filed a bug of my own at the time, bug 739946.  Maybe I should have added the information to this one instead.

Comment 8 Miroslav Grepl 2011-09-27 07:13:02 UTC

*** This bug has been marked as a duplicate of bug 739946 ***

Comment 9 Miroslav Grepl 2011-09-27 13:28:06 UTC
Adam,
could you test it with the latest policy. It looks ok and working.

Comment 10 Miroslav Grepl 2011-09-27 13:31:42 UTC
If it doesn't work for you, please could you test it with

# semodule -DB

Comment 11 Adam Williamson 2011-10-04 01:31:02 UTC
still doesn't work.

[root@adam adamw]# getenforce 
Enforcing
[root@adam adamw]# systemctl start nfs-server.service
Job failed. See system logs and 'systemctl status' for details.
[root@adam adamw]# man semodule
[root@adam adamw]# semodule -DB
[root@adam adamw]# systemctl start nfs-server.service
Job failed. See system logs and 'systemctl status' for details.
[root@adam adamw]# setenforce Permissive
[root@adam adamw]# systemctl start nfs-server.service
[root@adam adamw]# rpm -q selinux-policy
selinux-policy-3.10.0-32.fc16.noarch

Comment 12 Miroslav Grepl 2011-10-04 05:59:28 UTC
Adam,
please try to re-test it with the latest build

http://koji.fedoraproject.org/koji/buildinfo?buildID=266665

Comment 13 Adam Williamson 2011-10-04 20:04:31 UTC
Looks good!

Comment 14 Fedora Update System 2011-10-06 09:35:45 UTC
selinux-policy-3.10.0-38.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/FEDORA-2011-13775

Comment 15 Fedora Update System 2011-10-09 19:34:29 UTC
selinux-policy-3.10.0-38.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.