Bug 750103 - SELinux is preventing /sbin/rpc.statd from 'write' accesses on the file rpc.statd.pid.
Summary: SELinux is preventing /sbin/rpc.statd from 'write' accesses on the file rpc.s...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:1e4c1fc0a81a01c2f7f2e3072df...
: 750162 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-31 00:17 UTC by Charles R. Anderson
Modified: 2011-11-23 15:01 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-11-23 15:01:02 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
script of NFS mount attempt (16.11 KB, text/plain)
2011-10-31 10:36 UTC, Charles R. Anderson 		no flags Details
View All

Description Charles R. Anderson 2011-10-31 00:17:18 UTC 
libreport version: 2.0.6
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.1.0-5.fc16.x86_64
reason:         SELinux is preventing /sbin/rpc.statd from 'write' accesses on the file rpc.statd.pid.
time:           Sun Oct 30 20:16:32 2011

description:
:SELinux is preven(removed)ing /sbin/rpc.s(removed)a(removed)d from 'wri(removed)e' accesses on (removed)he file rpc.s(removed)a(removed)d.pid.
:
:*****  Plugin ca(removed)chall (100. confidence) sugges(removed)s  ***************************
:
:If you believe (removed)ha(removed) rpc.s(removed)a(removed)d should be allowed wri(removed)e access on (removed)he rpc.s(removed)a(removed)d.pid file by defaul(removed).
:Then you should repor(removed) (removed)his as a bug.
:You can genera(removed)e a local policy module (removed)o allow (removed)his access.
:Do
:allow (removed)his access for now by execu(removed)ing:
:# grep rpc.s(removed)a(removed)d /var/log/audi(removed)/audi(removed).log | audi(removed)2allow -M mypol
:# semodule -i mypol.pp
:
:Addi(removed)ional Informa(removed)ion:
:Source Con(removed)ex(removed)                sys(removed)em_u:sys(removed)em_r:rpcd_(removed):s0
:Targe(removed) Con(removed)ex(removed)                unconfined_u:objec(removed)_r:var_run_(removed):s0
:Targe(removed) Objec(removed)s                rpc.s(removed)a(removed)d.pid [ file ]
:Source                        rpc.s(removed)a(removed)d
:Source Pa(removed)h                   /sbin/rpc.s(removed)a(removed)d
:Por(removed)                          <Unknown>
:Hos(removed)                          (removed)
:Source RPM Packages           nfs-u(removed)ils-1.2.5-1.fc16
:Targe(removed) RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-46.fc16
:Selinux Enabled               True
:Policy Type                   (removed)arge(removed)ed
:Enforcing Mode                Enforcing
:Hos(removed) Name                     (removed)
:Pla(removed)form                      Linux (removed) 3.1.0-5.fc16.x86_64 #1 SMP Thu Oc(removed) 27
:                              03:46:50 UTC 2011 x86_64 x86_64
:Aler(removed) Coun(removed)                   2
:Firs(removed) Seen                    Sun 30 Oc(removed) 2011 08:14:58 PM EDT
:Las(removed) Seen                     Sun 30 Oc(removed) 2011 08:15:41 PM EDT
:Local ID                      b979e6f2-3dbb-4bc2-a848-e7c70b0fec0e
:
:Raw Audi(removed) Messages
:(removed)ype=AVC msg=audi(removed)(1320020141.260:91): avc:  denied  { wri(removed)e } for  pid=2284 comm="rpc.s(removed)a(removed)d" name="rpc.s(removed)a(removed)d.pid" dev=(removed)mpfs ino=27781 scon(removed)ex(removed)=sys(removed)em_u:sys(removed)em_r:rpcd_(removed):s0 (removed)con(removed)ex(removed)=unconfined_u:objec(removed)_r:var_run_(removed):s0 (removed)class=file
:
:
:(removed)ype=SYSCALL msg=audi(removed)(1320020141.260:91): arch=x86_64 syscall=open success=no exi(removed)=EACCES a0=7fc2f7f3b284 a1=241 a2=1b6 a3=7ffff6b11550 i(removed)ems=0 ppid=2283 pid=2284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 (removed)(removed)y=(none) ses=4294967295 comm=rpc.s(removed)a(removed)d exe=/sbin/rpc.s(removed)a(removed)d subj=sys(removed)em_u:sys(removed)em_r:rpcd_(removed):s0 key=(null)
:
:Hash: rpc.s(removed)a(removed)d,rpcd_(removed),var_run_(removed),file,wri(removed)e
:
:audi(removed)2allow
:
:#============= rpcd_(removed) ==============
:allow rpcd_(removed) var_run_(removed):file wri(removed)e;
:
:audi(removed)2allow -R
:
:#============= rpcd_(removed) ==============
:allow rpcd_(removed) var_run_(removed):file wri(removed)e;
:
Comment 1 Miroslav Grepl 2011-10-31 08:43:39 UTC 
Have you ever started rpcd directly?

# restorecon -R -v /var/run/rpc*

Should fix your issue. If I am wrong, please reopen the bug. Thank you.
Comment 2 Charles R. Anderson 2011-10-31 10:08:53 UTC 
*** Bug 750162 has been marked as a duplicate of this bug. ***
Comment 3 Charles R. Anderson 2011-10-31 10:10:17 UTC 
I need some advice then.  How are you supposed to mount an NFS filesystem in Fedora 16?  It failed to mount until I performed this sequence of events:

1. Install from Fedora 16 Final RC2 Live Desktop x86_64
2. yum install nfs-utils
3. systemctl start rpcbind.service
4. systemctl start nfs-lock.service (fails)
5. setenforce 0
6. mount -t nfs ...
7. Report these AVCs (write & unlink on rpc.statd.pid)
Comment 4 Charles R. Anderson 2011-10-31 10:36:36 UTC 
Created attachment 530943 [details]
script of NFS mount attempt

Full script of session with attempt to mount an NFS filesystem right after a fresh install of Fedora 16 Final RC2 Live Desktop x86_64.  If the procedure I followed was incorrect in such a way as to cause a mislabeled file to be created, then the process is fragile and improvement as well as explanation for the proper procedure would be appreciated.
Thanks.
Comment 5 Miroslav Grepl 2011-10-31 11:45:55 UTC 
How about

# yum update --enablerepo=updates testing

and

# systemctl start nfs-lock.service


I am able to start this service.
Note You need to log in before you can comment on or make changes to this bug.