RHEL6 and hosts.allow permissions

We've been fighting some strange behavior this week with NFS shares and mount points. There's been strange RHEL5 NFS client to RHEL6 NFS servers mounting issue which just cropped on hosts which have been configured and working for over a year or two. Maybe some patch changes with NFS or rpcbind? Possibly just permissions on /etc/hosts.allow itself. Do they have to be 444?

Anyway, we also had to add entries (all of a sudden) into our /etc/hosts.allow files for lockd,mountd,rquotad,statd,rpcbind, and portmap. These are only needed for the RHEL5 NFS clients - we know - but again, hadn't been configured like that for some time. I've seen mention of that on the Internet, but had never put them in before now.

Also on the NFS server, the /etc/hosts.allow had to have permissions of 444 so showmount and rpcinfo would work correctly. We had the perms set to 440, but just now discovered this issue with showmount. It needed world readable perms?

I can't find mention of the permission requirements for hosts.allow anywhere. But I've had to do this on multiple networks with RHEL6 NFS servers. (heavily STIG'd hosts)

There's tons of questions like this out there on the Internet, like RPC permission denies and systems not registered and all that. Nothing new really, but the TCP wrapper permissions stumped us.

Does any of this ring a bell with anyone? It was just strange to get called in on the weekend after long-term NFS mounts failed to mount again. I suspect since we have puppet setting the perms on /etc/hosts.allow that probably broke stuff until someone restarted NFS or rebooted. That must be it. It doesn't seem right to require 444 on hosts.allow. What else could be the problem - other than too many STIG's.

:-\

Running latest RHEL 6.7 with all the latest patches as of today - November 15, 2015.

Thanks for any insight.

Cheers,
Chris