Description of problem: Mounting NFS 3 exports via 'mount -t nfs server:...' fails because there is no rpc.statd running. Starting rpc.statd fails because of missing unlink/write permission to /var/run/rpc.statd.pid. Version-Release number of selected component (if applicable): $ rpm -q selinux-policy-targeted selinux-policy-targeted-3.10.0-128.fc17.noarch How reproducible: Always Steps to Reproduce: 1. # systemctl start nfs-lock.service 2. 3. Actual results: Job failed. See system journal and 'systemctl status' for details. Expected results: Exit status 0 and successful running rpc.statd. Additional info: # sealert -l FIRST_ID WARNING: Policy would be downgraded from version 27 to 26. ** (setroubleshoot:1210): WARNING **: Trying to register gtype 'GMountMountFlags' as enum when in fact it is of type 'GFlags' ** (setroubleshoot:1210): WARNING **: Trying to register gtype 'GDriveStartFlags' as enum when in fact it is of type 'GFlags' ** (setroubleshoot:1210): WARNING **: Trying to register gtype 'GSocketMsgFlags' as enum when in fact it is of type 'GFlags' Gtk-Message: Failed to load module "pk-gtk-module" SELinux is preventing /usr/sbin/rpc.statd from unlink access on the file rpc.statd.pid. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that rpc.statd should be allowed unlink access on the rpc.statd.pid file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep rpc.statd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp WARNING: Policy would be downgraded from version 27 to 26. WARNING: Policy would be downgraded from version 27 to 26. Additional Information: Source Context system_u:system_r:rpcd_t:s0 Target Context unconfined_u:object_r:var_run_t:s0 Target Objects rpc.statd.pid [ file ] Source rpc.statd Source Path /usr/sbin/rpc.statd Port <Unknown> Host myhost Source RPM Packages nfs-utils-1.2.6-0.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-128.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name myhost Platform Linux myhost 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3 06:35:17 UTC 2012 x86_64 x86_64 Alert Count 3 First Seen Fri 15 Jun 2012 11:21:40 PM CEST Last Seen Fri 15 Jun 2012 11:22:18 PM CEST Local ID FIRST_ID Raw Audit Messages type=AVC msg=audit(1339795338.234:393): avc: denied { unlink } for pid=24339 comm="rpc.statd" name="rpc.statd.pid" dev="tmpfs" ino=1350058 scontext=system_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=SYSCALL msg=audit(1339795338.234:393): arch=x86_64 syscall=unlink success=no exit=EACCES a0=7fc8ffc31244 a1=7fff3962cce0 a2=0 a3=7fff3962cd10 items=0 ppid=24338 pid=24339 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rpc.statd exe=/usr/sbin/rpc.statd subj=system_u:system_r:rpcd_t:s0 key=(null) Hash: rpc.statd,rpcd_t,var_run_t,file,unlink audit2allow #============= rpcd_t ============== allow rpcd_t var_run_t:file unlink; audit2allow -R #============= rpcd_t ============== allow rpcd_t var_run_t:file unlink; # sealert -l SECOND_ID WARNING: Policy would be downgraded from version 27 to 26. ** (setroubleshoot:1204): WARNING **: Trying to register gtype 'GMountMountFlags' as enum when in fact it is of type 'GFlags' ** (setroubleshoot:1204): WARNING **: Trying to register gtype 'GDriveStartFlags' as enum when in fact it is of type 'GFlags' ** (setroubleshoot:1204): WARNING **: Trying to register gtype 'GSocketMsgFlags' as enum when in fact it is of type 'GFlags' Gtk-Message: Failed to load module "pk-gtk-module" SELinux is preventing /usr/sbin/rpc.statd from write access on the file rpc.statd.pid. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that rpc.statd should be allowed write access on the rpc.statd.pid file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep rpc.statd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp WARNING: Policy would be downgraded from version 27 to 26. WARNING: Policy would be downgraded from version 27 to 26. Additional Information: Source Context system_u:system_r:rpcd_t:s0 Target Context unconfined_u:object_r:var_run_t:s0 Target Objects rpc.statd.pid [ file ] Source rpc.statd Source Path /usr/sbin/rpc.statd Port <Unknown> Host myhost Source RPM Packages nfs-utils-1.2.6-0.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-128.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name myhost Platform Linux myhost 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3 06:35:17 UTC 2012 x86_64 x86_64 Alert Count 3 First Seen Fri 15 Jun 2012 11:21:40 PM CEST Last Seen Fri 15 Jun 2012 11:22:18 PM CEST Local ID SECOND_ID Raw Audit Messages type=AVC msg=audit(1339795338.234:394): avc: denied { write } for pid=24339 comm="rpc.statd" name="rpc.statd.pid" dev="tmpfs" ino=1350058 scontext=system_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=SYSCALL msg=audit(1339795338.234:394): arch=x86_64 syscall=open success=no exit=EACCES a0=7fc8ffc31244 a1=241 a2=1b6 a3=238 items=0 ppid=24338 pid=24339 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rpc.statd exe=/usr/sbin/rpc.statd subj=system_u:system_r:rpcd_t:s0 key=(null) Hash: rpc.statd,rpcd_t,var_run_t,file,write audit2allow #============= rpcd_t ============== allow rpcd_t var_run_t:file write; audit2allow -R #============= rpcd_t ============== allow rpcd_t var_run_t:file write;
restorecon -R -v /run /run/rpc.statd.pid is mislabeled. Any idea how this happened? Did you run rpc.statd by hand?
Hm, strange. I did not run restorecon, but now it works after a system reboot. Directly after system start and before any 'mount -t nfs ...' execution. # pgrep -l rpc 799 rpcbind 833 rpciod 870 rpc.statd # systemctl status nfs-lock.service nfs-lock.service - NFS file locking service. Loaded: loaded (/usr/lib/systemd/system/nfs-lock.service; enabled) Active: active (running) since Wed, 20 Jun 2012 12:54:38 +0200 Process: 863 ExecStart=/sbin/rpc.statd $STATDARG (code=exited, status=0/SUCCESS) Process: 821 ExecStartPre=/usr/lib/nfs-utils/scripts/nfs-lock.preconfig (code=exited, status=0/SUCCESS) Main PID: 870 (rpc.statd) CGroup: name=systemd:/system/nfs-lock.service └ 870 /sbin/rpc.statd Jun 20 12:54:38 host rpc.statd[870]: Version 1.2.6 starting Jun 20 12:54:38 host sm-notify[871]: Version 1.2.6 starting Mounting a NFS 3 share works then via mount -t nfs server:/... as expected. Before and after installing nfs-utils (yum install nfs-utils) I tested mounting with 'mount -t nfs server:/' (before I did a reboot). And the failing 'systemctl start nfs-lock.service' from the original report was also before the reboot. Perhaps this lead to the labeling problem? Additional information: this Fedora 17 was installed from scratch. Now the policy is at: # rpm -q selinux-policy-targeted selinux-policy-targeted-3.10.0-130.fc17.noarch
So you are able to reproduce it?
I'll try to reproduce it (via a fresh Fedora 17 install in a vm).
ok, if it happens again, please reopen the bug.