-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Debian 12.1 statd and mountd fail to start with fixed ports #629
Comments
Actually a bit more on this, this works fine if you let NFS daemons choose their ports but if try to fix them this breaks.
This breaks.
I now get mountd to start but statd is still failing..
|
Disable dontaudit rules and restart the service: semanage dontaudit off |
Okay audit2allow now says:
Or the raw log if that's more what you want:
|
This issue has not had any recent activity. It will be closed in 7 days if it makes no further progress. |
I guess still not fixed so should stay open ? |
You would need to add the rules to your policy to allow the access, as suggeested by your audit2allow output.
|
I can make it work with various rules applied via audit2allow, sure. But shouldn't statd SELinux policies respect these,
, as mountd and lockd already do? This is true on RHEL based SELinux implementations. |
I can't speak to the RHEL policy, but I don't see this access in the Fedora policy. |
On a Fedora 39, I can just set the ports for statd, lockd and mountd in: And this just works with SELinux, no setting nfs_port_t's or anything. |
This issue has not had any recent activity. It will be closed in 7 days if it makes no further progress. |
This is still and issue, seems strange to auto close bugs with no fix. |
refpolicy starts from a more secure state. Adding rules is much easier than removing rules. |
As I previously said, even if the refpolicy is more secure, shouldn't statd SELinux policies respect these,
, as mountd and lockd already do? |
When I have SELinux enforcing on
Aug 15 12:31:34 deb12 rpc.statd[811]: Version 2.6.2 starting
Aug 15 12:31:34 deb12 rpc.statd[811]: Flags: TI-RPC
Aug 15 12:31:34 deb12 rpc.statd[811]: Could not bind socket: (13) Permission denied
Aug 15 12:31:34 deb12 rpc.statd[811]: Could not bind socket: (13) Permission denied
Aug 15 12:31:34 deb12 rpc.statd[811]: Could not bind socket: (13) Permission denied
Aug 15 12:31:34 deb12 rpc.statd[811]: Could not bind socket: (13) Permission denied
Aug 15 12:31:34 deb12 rpc.statd[811]: failed to create RPC listeners, exiting
.
.
Aug 15 12:31:34 deb12 systemd[1]: rpc-statd.service: Control process exited, code=exited, status=1/FAILURE
Aug 15 12:31:23 deb12 systemd[1]: Mounted run-rpc_pipefs.mount - RPC Pipe File System.
Aug 15 12:31:24 deb12 systemd[1]: Starting nfs-mountd.service - NFS Mount Daemon...
Aug 15 12:31:24 deb12 rpc.mountd[758]: Could not bind socket: (13) Permission denied
Aug 15 12:31:24 deb12 rpc.mountd[758]: Could not bind socket: (13) Permission denied
.
Aug 15 12:31:24 deb12 rpc.mountd[758]: mountd: No V2 or V3 listeners created!
Aug 15 12:31:24 deb12 rpc.mountd[760]: Version 2.6.2 starting
Aug 15 12:31:24 deb12 systemd[1]: Started nfs-mountd.service - NFS Mount Daemon.
audit2allow reports nothing.
I maybe missing something, I have only ever used RHEL like systems and not tried Debian SELinux before (or Debian for years TBH).
I seem to have:
selinux-policy-default/stable,now 2:2.20221101-9 all [installed]
But I did see it saying that it was updating the policy when I installed SELinux, not sure if that it out-with the package manager?
And have applied:
setsebool -P nfs_export_all_rw 1
The text was updated successfully, but these errors were encountered: