Bug 442916

Summary: SELinux is preventing rpc.mountd (nfsd_t) "getattr" to /dev/oprofile (oprofilefs_t).
Product: [Fedora] Fedora Reporter: Petr Machata <pmachata>
Component: nfs-utilsAssignee: Steve Dickson <steved>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8CC: dwalsh, jonstanley, mnewsome
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: F8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-26 12:37:38 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Petr Machata 2008-04-17 11:39:14 EDT
Description of problem:

I'm copying files from one NFS system to another.  The target one is actually
located on my machine, but I guess that shouldn't matter.  Every once in a while
(like for example every ten minutes or so), I get the following AVC denial:

  SELinux is preventing rpc.mountd (nfsd_t) "getattr" to /dev/oprofile
(oprofilefs_t). 

Raw audit messages:
host=hridell.englab.brq.redhat.com type=AVC msg=audit(1208445955.446:8165): avc:
denied { getattr } for pid=10637 comm="rpc.mountd" path="/dev/oprofile"
dev=oprofilefs ino=21370657 scontext=unconfined_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:oprofilefs_t:s0 tclass=dir
host=hridell.englab.brq.redhat.com type=SYSCALL msg=audit(1208445955.446:8165):
arch=40000003 syscall=195 success=no exit=-13 a0=bfbfbfd4 a1=bfbfbeb0 a2=294ff4
a3=3 items=0 ppid=1 pid=10637 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="rpc.mountd" exe="/usr/sbin/rpc.mountd"
subj=unconfined_u:system_r:nfsd_t:s0 key=(null) 

The context of /dev/oprofile is system_u:object_r:oprofilefs_t, which looks OK
to me.  In any case I don't know if rpc.mountd is even supposed to touch
/dev/oprofile.  Isn't this a bug?

I've found another bug similar to this one, #247157, which was resolved by
fixing the policy.  I'm not sure this is relevant in this case, oprofilefs_t
seems "right" to me.

Version-Release number of selected component (if applicable):
nfs-utils-1.1.0-6.fc8

sestatus gives me this:
# /usr/sbin/sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

Steps to Reproduce:
1. Turn selinux into enforcing mode
2. Create NFS share
3. Copy globs of data to that share
  
Actual results:
AVC denial

Expected results:
No AVC denial
Comment 1 Daniel Walsh 2008-04-17 14:04:29 EDT
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-2.6.4-101.fc9.noarch
Comment 2 Bug Zapper 2008-11-26 05:30:15 EST
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '8'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 8's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 8 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 Jon Stanley 2008-11-26 12:37:38 EST
As this bug is in MODIFIED, Fedora believes that a fix has been committed that resolves the problem listed in this bug report.

If this is not the case, please re-open this report, noting the version of the package that you reproduced the bug against.

Thanks for the report!