Bug 118946
| Summary: | NFSD won't serve files | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | G.Wolfe Woodbury <redwolfe> |
| Component: | policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED RAWHIDE | QA Contact: | Brian Brock <bbrock> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2004-04-06 23:52:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 114961 | ||
Could you include the avc messages? The avc messages are 14 MB at the moment, they are at: http://wolves.homeip.net/~ggw/texts/nfsd.avc Fixed in policy-1.9-15 under policy 1.9-15 I get "permission denied" from the mounting
machine no matter what sort of shenanigans I play with the firewall
and permissions.
/etc/exports:
/srv 10.11.12.0/255.255.255.0(rw,sync,no_root_squash)
/home/Fedora 10.11.12.0/255.255.255.0(rw,sync)
avc's when starting NFSd:
Mar 27 03:31:38 tembo kernel: audit(1080376298.281:0): avc: denied {
getattr } for pid=2299 exe=/usr/sbin/exportfs path=/srv dev=hdb3
ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:default_t tclass=dir
Mar 27 03:31:38 tembo kernel: audit(1080376298.283:0): avc: denied {
getattr } for pid=2299 exe=/usr/sbin/exportfs path=/home dev=hda6
ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:home_root_t tclass=dir
Mar 27 03:31:38 tembo nfs: Starting NFS services: succeeded
Mar 27 03:31:38 tembo nfs: rpc.rquotad startup succeeded
Mar 27 03:31:38 tembo kernel: Installing knfsd (copyright (C) 1996
okir.de).
Mar 27 03:31:39 tembo kernel: SELinux: initialized (dev , type nfsd),
uses genfs_contexts
Mar 27 03:31:39 tembo nfs: rpc.nfsd startup succeeded
Mar 27 03:31:39 tembo kernel: audit(1080376299.212:0): avc: denied {
getattr } for pid=2323 exe=/usr/sbin/rpc.mountd path=/home dev=hda6
ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:home_root_t tclass=dir
Mar 27 03:31:39 tembo kernel: audit(1080376299.214:0): avc: denied {
getattr } for pid=2323 exe=/usr/sbin/rpc.mountd path=/srv dev=hdb3
ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:default_t tclass=dir
Mar 27 03:31:39 tembo nfs: rpc.mountd startup succeeded
Mar 27 03:32:19 tembo kernel: audit(1080376339.645:0): avc: denied {
getattr } for pid=2324 exe=/usr/sbin/rpc.mountd path=/srv dev=hdb3
ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:default_t tclass=dir
Mar 27 03:32:19 tembo rpc.mountd: authenticated mount request from
wolves.private:822 for /srv (/srv)
Mar 27 03:32:19 tembo kernel: audit(1080376339.767:0): avc: denied {
getattr } for pid=2324 exe=/usr/sbin/rpc.mountd path=/srv dev=hdb3
ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:default_t tclass=dir
Mar 27 03:32:19 tembo rpc.mountd: can't stat exported dir /srv:
Permission denied
ls -Z for /srv:
drwxrwsrwx ggw ggw system_u:object_r:default_t srv
ls -Z for /usr/sbin/rpc.nfsd
-rwxr-xr-x+ root root system_u:object_r:nfsd_exec_t
/usr/sbin/rpc.nfsd
As of policy 1.9.2-12 in enforcing mode, NFS mount from another machine works as specified. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031114 Description of problem: with selinux enabled, nfsd won't read the partition being served and also refuses connections. /var/log/messages reports lots of AVCs for no read for nfsd. Version-Release number of selected component (if applicable): 2.1.253.1 How reproducible: Always Steps to Reproduce: 1. Install from development 2. export a filesystem (e.g. /srv) 3. attempt to connect Actual Results: AVCs for ( read ) for nfsd processes and client reports permission denied Expected Results: normal file serving Additional info: I have a /srv partition with the development tree mirrored and selinux default permissions under 1.9 policy won't allow normal user access or nfsd access. This may be the same cause as other bugs I've reported.