NFS mounts fail after installing Fedora 25

After installing Fedora 25, the NFS mounts in my /etc/fstab were no longer working.  I initially thought it was due to missing some dependency but the errors were vague and overall unhelpful.  Turns out it is SELinux related.

If you do not care to read (or about) all the words and explanations, feel free to skip to the SHORT VERSION

BACKGROUND

I NFS mount a few shares from my NAS on all the systems in my home network.  I realize that this might not be the best idea, but I find them helpful and, for whatever reason, did not have much luck with automout.

So I slap them in /etc/fstab to be mounted at boot time.  But this stopped working after a fresh Fedora 25 (F25) install.  I poked and prodded and kept seeing messages related to rpc-statd.service.  I was pretty sure that that should start by itself and that I shouldn’t have to do anything, but it turns out I was zeroed in on the wrong thing…trying to manhandle that service while ignoring the SELinux messages.

I searched the interwebs for all sorts of things based on the red-herring error message A dependency job for rpc-statd.service failed. It wasn’t until I finally noticed the SELinux message that I realized that it might be the culprit. So I set SELinux to Permissive momentarily and found that I could mount my NFS shares no problem:

setenforce 0
mount -a

Based on that I restarted my search focusing on SELinux and found Bug 1402427 (NFS mounts fail due to SELinux denial for rpcbind.socket on /run/rpc.statd.lock). I’m really not sure why that didn’t come up in my previous searches, but since it was so hard for me to find I thought I’d pass it along.

The gist of it is that rpcbind moved from /usr/sbin to /usr/bin and so the SELinux contexts were screwed up. There are workarounds offered but the bug was closed because the context was updated in selinux-policy-3.13.1-225.3.fc25. As it turns out, that is the exact version of the RPM that I have installed…yet it was still not working correctly.

As mentioned in the last comment in the Bugzilla, I still have to reset the label:

sudo restorecon -v /usr/bin/rpcbind
restorecon reset /usr/bin/rpcbind context system_u:object_r:bin_t:s0->system_u:object_r:rpcbind_exec_t:s0

Bingo bango, now the NFS mounts in my /etc/fstab get mounted successfully during boot even with SELinux Enforcing.


NEXT STEPS

I have not added this to my Ansible playbook which configures these NFS mounts because I have faith that it will be addressed correctly by the time I reinstall again.


WHAT I LEARNED

  • Don’t ignore SELinux messages

REFERENCES:


SHORT VERSION:

To avoid tl;dr enjoy this instead:

## relabel the moved rpcbind binary
sudo restorecon -v /usr/bin/rpcbind

[return to top of page]

Leave a Reply

Your email address will not be published. Required fields are marked *