Bug 832776 - SELinux prevents the start of nfs-lock.service
Summary: SELinux prevents the start of nfs-lock.service
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-17 10:25 UTC by Georg Sauthoff
Modified: 2012-07-02 07:21 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-07-02 07:21:37 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Georg Sauthoff 2012-06-17 10:25:32 UTC
Description of problem:

Mounting NFS 3 exports via 'mount -t nfs server:...' fails because there is no rpc.statd running. Starting rpc.statd fails because of missing unlink/write permission to /var/run/rpc.statd.pid.


Version-Release number of selected component (if applicable):

$ rpm -q selinux-policy-targeted                    
selinux-policy-targeted-3.10.0-128.fc17.noarch

How reproducible:

Always

Steps to Reproduce:
1. # systemctl start nfs-lock.service 
2.
3.
  
Actual results:

Job failed. See system journal and 'systemctl status' for details.

Expected results:

Exit status 0 and successful running rpc.statd.

Additional info:

# sealert -l FIRST_ID
WARNING: Policy would be downgraded from version 27 to 26.

** (setroubleshoot:1210): WARNING **: Trying to register gtype 'GMountMountFlags' as enum when in fact it is of type 'GFlags'

** (setroubleshoot:1210): WARNING **: Trying to register gtype 'GDriveStartFlags' as enum when in fact it is of type 'GFlags'

** (setroubleshoot:1210): WARNING **: Trying to register gtype 'GSocketMsgFlags' as enum when in fact it is of type 'GFlags'
Gtk-Message: Failed to load module "pk-gtk-module"
SELinux is preventing /usr/sbin/rpc.statd from unlink access on the file rpc.statd.pid.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that rpc.statd should be allowed unlink access on the rpc.statd.pid file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep rpc.statd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


WARNING: Policy would be downgraded from version 27 to 26.
WARNING: Policy would be downgraded from version 27 to 26.
Additional Information:
Source Context                system_u:system_r:rpcd_t:s0
Target Context                unconfined_u:object_r:var_run_t:s0
Target Objects                rpc.statd.pid [ file ]
Source                        rpc.statd
Source Path                   /usr/sbin/rpc.statd
Port                          <Unknown>
Host                          myhost
Source RPM Packages           nfs-utils-1.2.6-0.fc17.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.10.0-128.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     myhost
Platform                      Linux myhost 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3
                              06:35:17 UTC 2012 x86_64 x86_64
Alert Count                   3
First Seen                    Fri 15 Jun 2012 11:21:40 PM CEST
Last Seen                     Fri 15 Jun 2012 11:22:18 PM CEST
Local ID                      FIRST_ID

Raw Audit Messages
type=AVC msg=audit(1339795338.234:393): avc:  denied  { unlink } for  pid=24339 comm="rpc.statd" name="rpc.statd.pid" dev="tmpfs" ino=1350058 scontext=system_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file


type=SYSCALL msg=audit(1339795338.234:393): arch=x86_64 syscall=unlink success=no exit=EACCES a0=7fc8ffc31244 a1=7fff3962cce0 a2=0 a3=7fff3962cd10 items=0 ppid=24338 pid=24339 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rpc.statd exe=/usr/sbin/rpc.statd subj=system_u:system_r:rpcd_t:s0 key=(null)

Hash: rpc.statd,rpcd_t,var_run_t,file,unlink

audit2allow

#============= rpcd_t ==============
allow rpcd_t var_run_t:file unlink;

audit2allow -R

#============= rpcd_t ==============
allow rpcd_t var_run_t:file unlink;





# sealert -l SECOND_ID
WARNING: Policy would be downgraded from version 27 to 26.

** (setroubleshoot:1204): WARNING **: Trying to register gtype 'GMountMountFlags' as enum when in fact it is of type 'GFlags'

** (setroubleshoot:1204): WARNING **: Trying to register gtype 'GDriveStartFlags' as enum when in fact it is of type 'GFlags'

** (setroubleshoot:1204): WARNING **: Trying to register gtype 'GSocketMsgFlags' as enum when in fact it is of type 'GFlags'
Gtk-Message: Failed to load module "pk-gtk-module"
SELinux is preventing /usr/sbin/rpc.statd from write access on the file rpc.statd.pid.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that rpc.statd should be allowed write access on the rpc.statd.pid file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep rpc.statd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


WARNING: Policy would be downgraded from version 27 to 26.
WARNING: Policy would be downgraded from version 27 to 26.
Additional Information:
Source Context                system_u:system_r:rpcd_t:s0
Target Context                unconfined_u:object_r:var_run_t:s0
Target Objects                rpc.statd.pid [ file ]
Source                        rpc.statd
Source Path                   /usr/sbin/rpc.statd
Port                          <Unknown>
Host                          myhost
Source RPM Packages           nfs-utils-1.2.6-0.fc17.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.10.0-128.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     myhost
Platform                      Linux myhost 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3
                              06:35:17 UTC 2012 x86_64 x86_64
Alert Count                   3
First Seen                    Fri 15 Jun 2012 11:21:40 PM CEST
Last Seen                     Fri 15 Jun 2012 11:22:18 PM CEST
Local ID                      SECOND_ID

Raw Audit Messages
type=AVC msg=audit(1339795338.234:394): avc:  denied  { write } for  pid=24339 comm="rpc.statd" name="rpc.statd.pid" dev="tmpfs" ino=1350058 scontext=system_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file


type=SYSCALL msg=audit(1339795338.234:394): arch=x86_64 syscall=open success=no exit=EACCES a0=7fc8ffc31244 a1=241 a2=1b6 a3=238 items=0 ppid=24338 pid=24339 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rpc.statd exe=/usr/sbin/rpc.statd subj=system_u:system_r:rpcd_t:s0 key=(null)

Hash: rpc.statd,rpcd_t,var_run_t,file,write

audit2allow

#============= rpcd_t ==============
allow rpcd_t var_run_t:file write;

audit2allow -R

#============= rpcd_t ==============
allow rpcd_t var_run_t:file write;

Comment 1 Daniel Walsh 2012-06-18 20:40:38 UTC
restorecon -R -v /run

/run/rpc.statd.pid is mislabeled.

Any idea how this happened?  Did you run rpc.statd by hand?

Comment 2 Georg Sauthoff 2012-06-20 09:22:59 UTC
Hm, strange. I did not run restorecon, but now it works after a system reboot.

Directly after system start and before any 'mount -t nfs ...' execution.

# pgrep -l rpc
799 rpcbind
833 rpciod
870 rpc.statd

# systemctl status nfs-lock.service 
nfs-lock.service - NFS file locking service.
          Loaded: loaded (/usr/lib/systemd/system/nfs-lock.service; enabled)
          Active: active (running) since Wed, 20 Jun 2012 12:54:38 +0200
         Process: 863 ExecStart=/sbin/rpc.statd $STATDARG (code=exited, status=0/SUCCESS)
         Process: 821 ExecStartPre=/usr/lib/nfs-utils/scripts/nfs-lock.preconfig (code=exited, status=0/SUCCESS)
        Main PID: 870 (rpc.statd)
          CGroup: name=systemd:/system/nfs-lock.service
                  └ 870 /sbin/rpc.statd

Jun 20 12:54:38 host rpc.statd[870]: Version 1.2.6 starting
Jun 20 12:54:38 host sm-notify[871]: Version 1.2.6 starting

Mounting a NFS 3 share works then via mount -t nfs server:/... as expected.

Before and after installing nfs-utils (yum install nfs-utils) I tested mounting with 'mount -t nfs server:/' (before I did a reboot). And the failing 'systemctl start nfs-lock.service' from the original report was also before the reboot. Perhaps this lead to the labeling problem?

Additional information: this Fedora 17 was installed from scratch.

Now the policy is at:
# rpm -q selinux-policy-targeted 
selinux-policy-targeted-3.10.0-130.fc17.noarch

Comment 3 Miroslav Grepl 2012-06-28 12:52:37 UTC
So you are able to reproduce it?

Comment 4 Georg Sauthoff 2012-06-29 08:25:28 UTC
I'll try to reproduce it (via a fresh Fedora 17 install in a vm).

Comment 5 Miroslav Grepl 2012-07-02 07:21:37 UTC
ok, if it happens again, please reopen the bug.


Note You need to log in before you can comment on or make changes to this bug.