Bug 437663

Summary: Dbus isn't allowed to look at NFS-mounted home directories
Product: [Fedora] Fedora Reporter: Göran Uddeborg <goeran>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-10 13:40:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Göran Uddeborg 2008-03-15 22:25:51 UTC 
Description of problem:
With home directories mounted via NFS, I get these errors:

Mar 15 23:01:59 freddi kernel: audit(1205618519.328:7): avc:  denied  { search }
for  pid=2500 comm="dbus-daemon" name="" dev=0:15 ino=5963786
scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:nfs_t:s0
tclass=dir

I get these errors although I do have the boolean to allow NFS home directories set:

freddi$ getsebool use_nfs_home_dirs
use_nfs_home_dirs --> on

freddi$ rpm -q selinux-policy selinux-policy-targeted
selinux-policy-3.0.8-93.fc8
selinux-policy-targeted-3.0.8-93.fc8
Comment 1 Daniel Walsh 2008-03-17 13:13:51 UTC 
Any idea why the systembus would be looking in your home directories? 

You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Will be dontaudited in selinux-policy-3.0.8-94.fc8
Comment 2 Göran Uddeborg 2008-03-17 14:57:32 UTC 
In order to answer your question, I have investigated this a bit further.  It
turns out tge systembus isn't actually looking in the home directories, it's
looking at /usr/local.  Which I also have NFS mounted on this host.  So while
nothing what I wrote in comment 0 is incorrect, it is misleading.

I still don't know why the systembus looks at /usr/local, but it seems to be a
reasonable thing for it to do.  So maybe it makes more sense for me to allow
this locally, rather than for the default policy to hide it.  I guess
NFS-mounted /usr/local isn't something that is expected by the default policy.

Sorry for the noise.