Bug 585014

Summary: incorrect hint for fixing NFS denials
Product: [Fedora] Fedora Reporter: Milos Jakubicek <xjakub>
Component: setroubleshoot-pluginsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, jdennis, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: setroubleshoot-plugins-2.1.50-1.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-05-03 16:10:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Jakubicek 2010-04-22 22:12:33 UTC 
Description of problem:

On my server I correctly get the following AVC by default:

-------------------------------------------------------------
Summary:

SELinux prevented run.cgi from reading files stored on a NFS filesytem.

Detailed Description:

SELinux prevented run.cgi from reading files stored on a NFS filesystem. NFS
(Network Filesystem) is a network filesystem commonly used on Unix / Linux
systems. run.cgi attempted to read one or more files or directories from a
mounted filesystem of this type. As NFS filesystems do not support fine-grained
SELinux labeling, all files and directories in the filesystem will have the same
security context. If you have not configured run.cgi to read files from a NFS
filesystem this access attempt could signal an intrusion attempt.

Allowing Access:

Changing the "use_nfs_home_dirs" boolean to true will allow this access:
"setsebool -P use_nfs_home_dirs=1"

Fix Command:

setsebool -P use_nfs_home_dirs=1

Additional Information:

Source Context                unconfined_u:system_r:httpd_sys_script_t:s0
Target Context                system_u:object_r:nfs_t:s0
Target Objects                 [ dir ]
Source                        run.cgi
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           python-2.6.2-4.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-108.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   use_nfs_home_dirs
Host Name                     cup2.sketchengine.co.uk
Platform                      Linux cup2.sketchengine.co.uk
                              2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38
                              UTC 2010 x86_64 x86_64
Alert Count                   25
First Seen                    Thu Apr 22 18:37:27 2010
Last Seen                     Thu Apr 22 23:55:38 2010
Local ID                      e4e7837d-2d47-411b-b738-fe8cc156a49c
Line Numbers                  10330, 10331, 10332, 10333, 10336, 10337, 10338,
                              10345, 10346, 10347, 10348, 10355, 10356, 10357,
                              10358, 10361, 10362, 10363, 10364, 10369, 10370,
                              10371, 10372, 10464, 10465, 10466, 10467, 10472,
                              10473, 10474, 10475, 10490, 10491, 10492, 10493,
                              10660, 10661, 10662, 10663, 18939, 18940, 18941,
                              18942, 18943, 18944, 18949, 18950, 18951, 18952,
                              18953, 18954

Raw Audit Messages            

type=AVC msg=audit(1271973338.973:42706): avc:  denied  { search } for  pid=16768 comm="run.cgi" name="" dev=0:15 ino=2 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

type=SYSCALL msg=audit(1271973338.973:42706): arch=c000003e syscall=2 success=no exit=-13 a0=d04f58 a1=0 a2=1b6 a3=0 items=0 ppid=16555 pid=16768 auid=500 uid=48 gid=486 euid=48 suid=48 fsuid=48 egid=486 sgid=486 fsgid=486 tty=(none) ses=9 comm="run.cgi" exe="/usr/bin/python" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)

----------------------------------------------------

The problem is that it advises to use use_nfs_home_dirs=1, but the correct solution is to allow httpd_use_nfs=1.

Version-Release number of selected component (if applicable):

selinux-policy-3.6.32-108.fc12.noarch
Comment 1 Fedora Update System 2010-04-26 19:45:35 UTC 
setroubleshoot-plugins-2.1.50-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/setroubleshoot-plugins-2.1.50-1.fc12
Comment 2 Fedora Update System 2010-04-28 01:16:00 UTC 
setroubleshoot-plugins-2.1.50-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update setroubleshoot-plugins'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/setroubleshoot-plugins-2.1.50-1.fc12
Comment 3 Fedora Update System 2010-05-03 16:10:42 UTC 
setroubleshoot-plugins-2.1.50-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.