Bug 980712 - SELinux prevents NFS (rpcbind) from working properly (rpc.mountd[822]: Could not bind socket: (13) Permission denied)
SELinux prevents NFS (rpcbind) from working properly (rpc.mountd[822]: Could ...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-03 01:53 EDT by Julian Sikorski
Modified: 2013-07-11 16:35 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-11 16:35:09 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ausearch -m avc (292.42 KB, application/x-xz)
2013-07-03 11:47 EDT, Julian Sikorski
no flags Details

  None (edit)
Description Julian Sikorski 2013-07-03 01:53:00 EDT
Description of problem:
Since upgrading to F-19, NFS is not working for me unless I set SELinux to permissive. The following is in /var/log/messages:

Jul  3 07:33:45 snowball2 exportfs[762]: exportfs: Failed to stat /media/realcrypt1/filmy: No such file or directory
Jul  3 07:33:45 snowball2 exportfs[762]: exportfs: Failed to stat /media/realcrypt1/stand-up: No such file or directory
Jul  3 07:33:45 snowball2 exportfs[762]: exportfs: Failed to stat /media/realcrypt1/tv: No such file or directory
Jul  3 07:33:45 snowball2 kernel: [   25.985633] NFSD: starting 90-second grace period (net ffffffff81cba800)
Jul  3 07:33:45 snowball2 systemd[1]: Started NFS Server.
Jul  3 07:33:46 snowball2 systemd[1]: Starting NFS Mount Daemon...
Jul  3 07:33:46 snowball2 systemd[1]: Starting NFS Remote Quota Server...
Jul  3 07:33:46 snowball2 systemd[1]: Starting NFSv4 ID-name mapping daemon...
Jul  3 07:33:46 snowball2 systemd[1]: Started NFS Remote Quota Server.
Jul  3 07:33:46 snowball2 systemd[1]: Started NFSv4 ID-name mapping daemon.
Jul  3 07:33:46 snowball2 systemd[1]: Started NFS Mount Daemon.
Jul  3 07:33:46 snowball2 rpc.mountd[822]: Could not bind socket: (13) Permission denied
Jul  3 07:33:46 snowball2 rpc.mountd[822]: Could not bind socket: (13) Permission denied
Jul  3 07:33:46 snowball2 rpc.mountd[822]: Could not bind socket: (13) Permission denied
Jul  3 07:33:46 snowball2 rpc.mountd[822]: Could not bind socket: (13) Permission denied
Jul  3 07:33:46 snowball2 rpc.mountd[822]: Could not bind socket: (13) Permission denied
Jul  3 07:33:46 snowball2 rpc.mountd[822]: Could not bind socket: (13) Permission denied
Jul  3 07:33:46 snowball2 rpc.mountd[895]: Version 1.2.7 starting


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-54.fc19.noarch

How reproducible:
always

Steps to Reproduce:
1. systemctl restart rpcbind.service

Actual results:
could not bind socket

Expected results:
nfs works

Additional info:
I have already tried full re-labeling, but it it did not help.
Comment 1 Miroslav Grepl 2013-07-03 04:02:37 EDT
Julian,
what does

# ausearch -m avc
Comment 2 Julian Sikorski 2013-07-03 11:47:49 EDT
Created attachment 768309 [details]
ausearch -m avc

It does return a lot.
Comment 3 Julian Sikorski 2013-07-03 11:50:39 EDT
Output from /var/log/messages when restarting nfs.service in enforcing and permissive mode.

Jul  3 17:49:01 snowball2 systemd[1]: Stopping NFS Remote Quota Server...
Jul  3 17:49:01 snowball2 systemd[1]: Stopping NFS Mount Daemon...
Jul  3 17:49:01 snowball2 systemd[1]: Stopping NFSv4 ID-name mapping daemon...
Jul  3 17:49:01 snowball2 rpc.mountd[895]: Caught signal 15, un-registering and exiting.
Jul  3 17:49:01 snowball2 systemd[1]: Stopping NFS Server...
Jul  3 17:49:01 snowball2 kernel: [ 2151.481108] nfsd: last server has exited, flushing export cache
Jul  3 17:49:01 snowball2 systemd[1]: Starting NFS Server...
Jul  3 17:49:01 snowball2 exportfs[4062]: exportfs: Failed to stat /media/realcrypt1/filmy: No such file or directory
Jul  3 17:49:01 snowball2 exportfs[4062]: exportfs: Failed to stat /media/realcrypt1/stand-up: No such file or directory
Jul  3 17:49:01 snowball2 exportfs[4062]: exportfs: Failed to stat /media/realcrypt1/tv: No such file or directory
Jul  3 17:49:01 snowball2 kernel: [ 2151.506195] NFSD: starting 90-second grace period (net ffffffff81cba800)
Jul  3 17:49:01 snowball2 systemd[1]: Started NFS Server.
Jul  3 17:49:01 snowball2 systemd[1]: Starting NFS Mount Daemon...
Jul  3 17:49:01 snowball2 systemd[1]: Starting NFS Remote Quota Server...
Jul  3 17:49:01 snowball2 systemd[1]: Starting NFSv4 ID-name mapping daemon...
Jul  3 17:49:01 snowball2 systemd[1]: Started NFSv4 ID-name mapping daemon.
Jul  3 17:49:01 snowball2 systemd[1]: Started NFS Remote Quota Server.
Jul  3 17:49:01 snowball2 rpc.mountd[4082]: Could not bind socket: (13) Permission denied
Jul  3 17:49:01 snowball2 rpc.mountd[4082]: Could not bind socket: (13) Permission denied
Jul  3 17:49:01 snowball2 rpc.mountd[4082]: Could not bind socket: (13) Permission denied
Jul  3 17:49:01 snowball2 rpc.mountd[4082]: Could not bind socket: (13) Permission denied
Jul  3 17:49:01 snowball2 rpc.mountd[4082]: Could not bind socket: (13) Permission denied
Jul  3 17:49:01 snowball2 rpc.mountd[4082]: Could not bind socket: (13) Permission denied
Jul  3 17:49:01 snowball2 rpc.mountd[4090]: Version 1.2.7 starting
Jul  3 17:49:01 snowball2 systemd[1]: Started NFS Mount Daemon.
Jul  3 17:49:13 snowball2 dbus-daemon[619]: dbus[619]: avc:  received setenforce notice (enforcing=0)
Jul  3 17:49:13 snowball2 dbus[619]: avc:  received setenforce notice (enforcing=0)
Jul  3 17:49:13 snowball2 dbus[1756]: avc:  received setenforce notice (enforcing=0)
Jul  3 17:49:13 snowball2 dbus[2366]: avc:  received setenforce notice (enforcing=0)
Jul  3 17:49:13 snowball2 dbus[1645]: avc:  received setenforce notice (enforcing=0)
Jul  3 17:49:15 snowball2 systemd[1]: Stopping NFS Remote Quota Server...
Jul  3 17:49:15 snowball2 systemd[1]: Stopping NFS Mount Daemon...
Jul  3 17:49:15 snowball2 systemd[1]: Stopping NFSv4 ID-name mapping daemon...
Jul  3 17:49:15 snowball2 rpc.mountd[4090]: Caught signal 15, un-registering and exiting.
Jul  3 17:49:15 snowball2 systemd[1]: Stopping NFS Server...
Jul  3 17:49:15 snowball2 systemd[1]: Starting NFS Server...
Jul  3 17:49:15 snowball2 kernel: [ 2165.498373] nfsd: last server has exited, flushing export cache
Jul  3 17:49:15 snowball2 exportfs[4114]: exportfs: Failed to stat /media/realcrypt1/filmy: No such file or directory
Jul  3 17:49:15 snowball2 exportfs[4114]: exportfs: Failed to stat /media/realcrypt1/stand-up: No such file or directory
Jul  3 17:49:15 snowball2 exportfs[4114]: exportfs: Failed to stat /media/realcrypt1/tv: No such file or directory
Jul  3 17:49:15 snowball2 kernel: [ 2165.517265] NFSD: starting 90-second grace period (net ffffffff81cba800)
Jul  3 17:49:15 snowball2 systemd[1]: Started NFS Server.
Jul  3 17:49:15 snowball2 systemd[1]: Starting NFS Mount Daemon...
Jul  3 17:49:15 snowball2 systemd[1]: Starting NFS Remote Quota Server...
Jul  3 17:49:15 snowball2 systemd[1]: Starting NFSv4 ID-name mapping daemon...
Jul  3 17:49:15 snowball2 systemd[1]: Started NFSv4 ID-name mapping daemon.
Jul  3 17:49:15 snowball2 systemd[1]: Started NFS Remote Quota Server.
Jul  3 17:49:15 snowball2 rpc.mountd[4143]: Version 1.2.7 starting
Jul  3 17:49:15 snowball2 systemd[1]: Started NFS Mount Daemon.
Jul  3 17:49:19 snowball2 fprintd[3994]: ** Message: No devices in use, exit
Comment 4 Daniel Walsh 2013-07-10 18:35:14 EDT
Nothing in those logs about rpcbind or nfs, all about running wine on your machine.

Seems you also have hundreds of wine_t processes running, which is strange since 

unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023  is not even a valid label anymore?
Comment 5 Julian Sikorski 2013-07-11 01:36:20 EDT
Keep in mind that audit.log might is years old (Fedora was first installed on this machine in May 2011) which probably explains obsolete labels.
I was suspecting there is nothing rpcbind-related in the logs. Having said that, please have a look at comment 2: rpc.mountd fails initially, but after setting SELinux in permissive mode, the "could not bind socket" error is gone.
Comment 6 Miroslav Grepl 2013-07-11 11:08:14 EDT
Ok, could you re-test it in permissive and run

# ausearch -m avc -ts recent

Thank you.
Comment 7 Julian Sikorski 2013-07-11 16:35:09 EDT
Hmm, colour me confused. Turns out that the problem has fixed itself sometime between 3 July and today. ausearch -m avc -ts recent returns nothing.
The last "Could not bind socket: (13) Permission denied" was recorded in the logs on 7 July, 09:14. The first yum update after that included the following packages which could be of interest:
kernel-3.9.9-301.fc19.x86_64
selinux-policy-targeted-3.12.1-59.fc19.noarch
In any case, it works now.

Note You need to log in before you can comment on or make changes to this bug.