Bug 2218076
| Summary: | [RHEL 9] avc: denied { write } for pid=26248 comm="nfsdcld" name="/" dev="tmpfs" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Zhi Li <yieli> |
| Component: | selinux-policy | Assignee: | Nikola Knazekova <nknazeko> |
| Status: | NEW --- | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.3 | CC: | lvrabec, mmalik, xzhou, zpytela |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2209174 | ||
Hello, Do you know what are the conditions or configuration change needed to trigger this denial? Apart from the denial, is there any problem with the service reported? Can you gather all denials in permissive mode and with full auditing enabled? 0) Run # setenforce 0 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today I cannot reproduce the issue. When the nfsdcld service starts, it creates the directory without any issue: rhel93# ls -lZa /var/lib/nfs total 4 drwxr-xr-x. 5 root root system_u:object_r:var_lib_nfs_t:s0 80 Aug 15 05:11 . drwxr-xr-x. 32 root root system_u:object_r:var_lib_t:s0 4096 Aug 15 05:11 .. -rw-r--r--. 1 root root system_u:object_r:var_lib_nfs_t:s0 0 Aug 7 20:31 etab -rw-r--r--. 1 root root system_u:object_r:var_lib_nfs_t:s0 0 Aug 7 20:31 rmtab dr-xr-xr-x. 11 root root system_u:object_r:rpc_pipefs_t:s0 0 Aug 15 05:11 rpc_pipefs drwx------. 4 rpcuser rpcuser system_u:object_r:var_lib_nfs_t:s0 30 Aug 15 05:11 statd drwxr-xr-x. 2 root root system_u:object_r:var_lib_nfs_t:s0 6 Aug 7 20:31 v4recovery rhel93# systemctl start nfsdcld rhel93# ls -lZa /var/lib/nfs total 4 drwxr-xr-x. 6 root root system_u:object_r:var_lib_nfs_t:s0 95 Aug 15 05:12 . drwxr-xr-x. 32 root root system_u:object_r:var_lib_t:s0 4096 Aug 15 05:11 .. -rw-r--r--. 1 root root system_u:object_r:var_lib_nfs_t:s0 0 Aug 7 20:31 etab drwx------. 2 root root system_u:object_r:var_lib_nfs_t:s0 25 Aug 15 05:12 nfsdcld -rw-r--r--. 1 root root system_u:object_r:var_lib_nfs_t:s0 0 Aug 7 20:31 rmtab dr-xr-xr-x. 11 root root system_u:object_r:rpc_pipefs_t:s0 0 Aug 15 05:11 rpc_pipefs drwx------. 4 rpcuser rpcuser system_u:object_r:var_lib_nfs_t:s0 30 Aug 15 05:11 statd drwxr-xr-x. 2 root root system_u:object_r:var_lib_nfs_t:s0 6 Aug 7 20:31 v4recovery rhel93# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts boot <no matches> Can you share some configuration details which may have effect? For instance, on a default installation, no tmpfs is involved. Does it require some particular packages version? rpm -q nfs-utils cat /proc/mounts ls -lZa /var/lib/nfs /var/lib/nfs/nfsdcld/ systemctl cat nfsdcld (In reply to Zdenek Pytela from comment #3) > I cannot reproduce the issue. When the nfsdcld service starts, it creates > the directory without any issue: FYI: The complete process is included in this caseļ¼ https://gitlab.cee.redhat.com/kernel-qe/kernel/-/tree/master/filesystems/nfs/stress/lustre-racer |
Description of problem: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-38.1.14-1.el9.noarch ---- time->Tue Jun 13 02:33:24 2023 type=PROCTITLE msg=audit(1686638004.918:474): proctitle="/usr/sbin/nfsdcld" type=SYSCALL msg=audit(1686638004.918:474): arch=c000003e syscall=83 success=no exit=-13 a0=55eaea2314db a1=1c0 a2=0 a3=0 items=0 ppid=1 pid=26248 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nfsdcld" exe="/usr/sbin/nfsdcld" subj=system_u:system_r:rpcd_t:s0 key=(null) type=AVC msg=audit(1686638004.918:474): avc: denied { write } for pid=26248 comm="nfsdcld" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 Version-Release number of selected component (if applicable): nfs-utils-2.5.4-18.el9.x86_64 selinux-policy-38.1.14-1.el9.noarch How reproducible: always Actual results: AVC denied Expected results: No AVC denied for defined operations Additional info: beaker job: https://beaker.engineering.redhat.com/jobs/7968106