After installing Fedora 25, the NFS mounts in my
/etc/fstab were no longer working. I initially thought it was due to missing some dependency but the errors were vague and overall unhelpful. Turns out it is SELinux related.
I NFS mount a few shares from my NAS on all the systems in my home network. I realize that this might not be the best idea, but I find them helpful and, for whatever reason, did not have much luck with
So I slap them in
/etc/fstab to be mounted at boot time. But this stopped working after a fresh Fedora 25 (F25) install. I poked and prodded and kept seeing messages related to
rpc-statd.service. I was pretty sure that that should start by itself and that I shouldn’t have to do anything, but it turns out I was zeroed in on the wrong thing…trying to manhandle that service while ignoring the SELinux messages.
I searched the interwebs for all sorts of things based on the red-herring error message
A dependency job for rpc-statd.service failed. It wasn’t until I finally noticed the SELinux message that I realized that it might be the culprit. So I set SELinux to Permissive momentarily and found that I could mount my NFS shares no problem:
setenforce 0 mount -a
Based on that I restarted my search focusing on SELinux and found Bug 1402427 (NFS mounts fail due to SELinux denial for rpcbind.socket on /run/rpc.statd.lock). I’m really not sure why that didn’t come up in my previous searches, but since it was so hard for me to find I thought I’d pass it along.
The gist of it is that
rpcbind moved from
/usr/bin and so the SELinux contexts were screwed up. There are workarounds offered but the bug was closed because the context was updated in
selinux-policy-3.13.1-225.3.fc25. As it turns out, that is the exact version of the RPM that I have installed…yet it was still not working correctly.
As mentioned in the last comment in the Bugzilla, I still have to reset the label:
sudo restorecon -v /usr/bin/rpcbind restorecon reset /usr/bin/rpcbind context system_u:object_r:bin_t:s0->system_u:object_r:rpcbind_exec_t:s0
Bingo bango, now the NFS mounts in my
/etc/fstab get mounted successfully during boot even with SELinux Enforcing.
I have not added this to my Ansible playbook which configures these NFS mounts because I have faith that it will be addressed correctly by the time I reinstall again.
WHAT I LEARNED
- Don’t ignore SELinux messages
To avoid tl;dr enjoy this instead:
## relabel the moved rpcbind binary sudo restorecon -v /usr/bin/rpcbind