Bug 2184456
| Summary: | avc: denied { getattr } comm="nfsd" tcontext=system_u:object_r:tmpfs_t:s0 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | François Rigault <frigo> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 39 | CC: | dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle. Changing version to 39. |
Description of problem: added an nfs share to expose a folder under /tmp. It works well but stat -f fails on the mount: stat: cannot read file system information for '/mnt/nfs': Input/output error and an AVC is logged Version-Release number of selected component (if applicable): selinux-policy-38.9-1.fc39.noarch How reproducible: all the time Steps to Reproduce: 1. define an nfs export /tmp/todel 127.0.0.1(rw,all_squash,anonuid=12345,anongid=12346,sec=sys) 2. mount it mount 127.0.0.1:/tmp/todel /mnt/nfs -t nfs -o nfsvers=3 -o sec=sys 3. access it with stat -f: $ stat -f /mnt/nfs stat: cannot read file system information for '/mnt/nfs': Input/output error also from podman $ podman run -v /mnt/nfs:/nas --rm -ti registry.fedoraproject.org/fedora:37 bash Error: statfs /mnt/nfs: input/output error Actual results: # ausearch -m AVC -ts recent | audit2why type=AVC msg=audit(1680632459.060:1061): avc: denied { getattr } for pid=1635 comm="nfsd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. Expected results: should work I think Additional info: # sesearch -A -s kernel_t -c filesystem allow domain proc_t:filesystem getattr; allow domain security_t:filesystem getattr; allow domain sysfs_t:filesystem getattr; allow kernel_t filesystem_type:filesystem { mount unmount }; allow kernel_t fs_t:filesystem getattr; allow kernel_t noxattrfs:filesystem getattr; [ nfs_export_all_ro ]:True allow kernel_t noxattrfs:filesystem getattr; [ nfs_export_all_rw ]:True # seinfo -t tmpfs_t -x Types: 1 type tmpfs_t alias ramfs_t, file_type, filesystem_type, mountpoint, non_auth_file_type, non_security_file_type, polyparent; # seinfo -t fs_t -x Types: 1 type fs_t alias { cephfs_t vxfs_t inotifyfs_t }, filesystem_type; I don't understand why it fails for a tmpfs_t folder, but works for non tmpfs_t folder.