Bug 166577
| Summary: | avc denied messages for rpc.rquotad | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | FC4 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-09-19 18:34:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
How is rpc.rquotad labeled on your system. It is sbin_t on mine which means it would run as initrc_t. It probably needs a domain for itself to be properly protected. Dan Ah, looks like it wasn't labeled properly: # fixfiles -R quota relabel /sbin/restorecon reset /usr/sbin/rpc.rquotad context system_u:object_r:rpcd_exec_t->system_u:object_r:sbin_t Restarted nfs and now I don't see the denied messages. Looks like it didn't get relabeled properly after the upgrade from FC3->FC4? |
Description of problem: Seeing the following on one of our nfs servers: Aug 22 16:28:17 alexandria kernel: audit(1124749697.682:2652): avc: denied { getattr } for pid=2510 comm="rpc.rquotad" name="mtab" dev=dm-0 ino=87007 scontext=system_u:system_r:rpcd_t tcontext=root:object_r:etc_runtime_t tclass=file Aug 22 16:28:17 alexandria kernel: audit(1124749697.682:2653): avc: denied { search } for pid=2510 comm="rpc.rquotad" name="export" dev=dm-0 ino=96001 scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:user_home_t tclass=dir Aug 22 16:28:17 alexandria kernel: audit(1124749697.683:2654): avc: denied { getattr } for pid=2510 comm="rpc.rquotad" name="/" dev=hda5 ino=2 scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:user_home_t tclass=dir I don't implement quotas on this machine so I'm not sure if quota functionality is affected, but I'm hesitant to upgrade my fc3 server that does until this is resolved. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.25.3-12 How reproducible: everytime Steps to Reproduce: 1. run quota on a client while an nfs mount from the server is mounted.