Bug 2218076

Summary: [RHEL 9] avc: denied { write } for pid=26248 comm="nfsdcld" name="/" dev="tmpfs"
Product: Red Hat Enterprise Linux 9 Reporter: Zhi Li <yieli>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: NEW --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.3CC: lvrabec, mmalik, xzhou, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2209174    

Description Zhi Li 2023-06-28 04:55:02 UTC 
Description of problem:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-38.1.14-1.el9.noarch
----
time->Tue Jun 13 02:33:24 2023
type=PROCTITLE msg=audit(1686638004.918:474): proctitle="/usr/sbin/nfsdcld"
type=SYSCALL msg=audit(1686638004.918:474): arch=c000003e syscall=83 success=no exit=-13 a0=55eaea2314db a1=1c0 a2=0 a3=0 items=0 ppid=1 pid=26248 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nfsdcld" exe="/usr/sbin/nfsdcld" subj=system_u:system_r:rpcd_t:s0 key=(null)
type=AVC msg=audit(1686638004.918:474): avc:  denied  { write } for  pid=26248 comm="nfsdcld" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0

Version-Release number of selected component (if applicable):
nfs-utils-2.5.4-18.el9.x86_64
selinux-policy-38.1.14-1.el9.noarch


How reproducible:
always


Actual results:
AVC denied

Expected results:
No AVC denied for defined operations

Additional info:
beaker job:
https://beaker.engineering.redhat.com/jobs/7968106
Comment 1 Zdenek Pytela 2023-07-14 12:59:03 UTC 
Hello,

Do you know what are the conditions or configuration change needed to trigger this denial?
Apart from the denial, is there any problem with the service reported?

Can you gather all denials in permissive mode and with full auditing enabled?

0) Run
  # setenforce 0
1) Open the /etc/audit/rules.d/audit.rules file in an editor.
2) Remove the following line if it exists:
-a task,never
3) Add the following line to the end of the file:
-w /etc/shadow -p w
4) Restart the audit daemon:
  # service auditd restart
5) Re-run your scenario.
6) Collect AVC denials:
  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
Comment 3 Zdenek Pytela 2023-08-15 09:19:54 UTC 
I cannot reproduce the issue. When the nfsdcld service starts, it creates the directory without any issue:

rhel93# ls -lZa /var/lib/nfs
total 4
drwxr-xr-x.  5 root    root    system_u:object_r:var_lib_nfs_t:s0   80 Aug 15 05:11 .
drwxr-xr-x. 32 root    root    system_u:object_r:var_lib_t:s0     4096 Aug 15 05:11 ..
-rw-r--r--.  1 root    root    system_u:object_r:var_lib_nfs_t:s0    0 Aug  7 20:31 etab
-rw-r--r--.  1 root    root    system_u:object_r:var_lib_nfs_t:s0    0 Aug  7 20:31 rmtab
dr-xr-xr-x. 11 root    root    system_u:object_r:rpc_pipefs_t:s0     0 Aug 15 05:11 rpc_pipefs
drwx------.  4 rpcuser rpcuser system_u:object_r:var_lib_nfs_t:s0   30 Aug 15 05:11 statd
drwxr-xr-x.  2 root    root    system_u:object_r:var_lib_nfs_t:s0    6 Aug  7 20:31 v4recovery
rhel93# systemctl start nfsdcld
rhel93# ls -lZa /var/lib/nfs
total 4
drwxr-xr-x.  6 root    root    system_u:object_r:var_lib_nfs_t:s0   95 Aug 15 05:12 .
drwxr-xr-x. 32 root    root    system_u:object_r:var_lib_t:s0     4096 Aug 15 05:11 ..
-rw-r--r--.  1 root    root    system_u:object_r:var_lib_nfs_t:s0    0 Aug  7 20:31 etab
drwx------.  2 root    root    system_u:object_r:var_lib_nfs_t:s0   25 Aug 15 05:12 nfsdcld
-rw-r--r--.  1 root    root    system_u:object_r:var_lib_nfs_t:s0    0 Aug  7 20:31 rmtab
dr-xr-xr-x. 11 root    root    system_u:object_r:rpc_pipefs_t:s0     0 Aug 15 05:11 rpc_pipefs
drwx------.  4 rpcuser rpcuser system_u:object_r:var_lib_nfs_t:s0   30 Aug 15 05:11 statd
drwxr-xr-x.  2 root    root    system_u:object_r:var_lib_nfs_t:s0    6 Aug  7 20:31 v4recovery
rhel93# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts boot
<no matches>

Can you share some configuration details which may have effect? For instance, on a default installation, no tmpfs is involved.
Does it require some particular packages version?

rpm -q nfs-utils
cat /proc/mounts
ls -lZa /var/lib/nfs /var/lib/nfs/nfsdcld/
systemctl cat nfsdcld
Comment 4 Zhi Li 2023-08-17 03:08:01 UTC 
(In reply to Zdenek Pytela from comment #3)
> I cannot reproduce the issue. When the nfsdcld service starts, it creates
> the directory without any issue:

FYI: The complete process is included in this caseļ¼š 
https://gitlab.cee.redhat.com/kernel-qe/kernel/-/tree/master/filesystems/nfs/stress/lustre-racer