Bug 599036
Summary: | SELinux is preventing /usr/sbin/rpc.svcgssd "unlink" access on nfs_0. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jeff Layton <jlayton> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 13 | CC: | dwalsh, mgrepl, steved |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:18aac159d226d546ad455ecc22f1ed138e907cb3daf8b1ca4d24b641a3a94326 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-06-02 17:27:36 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jeff Layton
2010-06-02 14:57:38 UTC
Looks like it's preventing rpc.svcgssd from unlinking /var/tmp/nfs_0 Jeff do you know what process created nfs_0? No, I'm not sure. Here's the stat output in case it helps: [jlayton@tlielax ~]$ stat -Z /var/tmp/nfs_0 File: `/var/tmp/nfs_0' Size: 6 Blocks: 8 IO Block: 4096 regular file Device: fd00h/64768d Inode: 2397967 Links: 1 Device type: 0,0 Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root) S_Context: unconfined_u:object_r:tmp_t:s0 Access: 2010-05-26 18:10:50.044771307 -0400 Modify: 2010-03-02 06:34:42.000000000 -0500 Change: 2010-05-26 19:56:24.551863862 -0400 Jeff if you remove this file by hand and then connect again, what is the label on the file. ls -lZ /var/tmp/nfs_0 If it is created by rpc.svcgssd Removing the file allowed it to start and it did recreate the file: $ stat -Z /var/tmp/nfs_0 File: `/var/tmp/nfs_0' Size: 6 Blocks: 8 IO Block: 4096 regular file Device: fd00h/64768d Inode: 2397967 Links: 1 Device type: 0,0 Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root) S_Context: unconfined_u:object_r:gssd_tmp_t:s0 Access: 2010-06-02 12:30:38.856400789 -0400 Modify: 2010-06-02 12:30:39.081451151 -0400 Change: 2010-06-02 12:30:39.081451151 -0400 ...hmm -- I did run restorecon -R on the root filesystem of this box not too long ago so that's may be the root cause here. It does seem like the policy should deal with that possibility though. The file got created with the expected context this time. gssd_tmp_t, rather then tmp_t. Which was unexpected. I have no idea how it could have been created with that context unless the kernel or a process on an without transition rules in a permissive machine. Anyways reopen if it happens again. Sounds good. The current policy seems to be correct AFAICT: $ sudo restorecon /var/tmp/nfs_0 $ ls -Z /var/tmp/nfs_0 -rw-------. root root unconfined_u:object_r:gssd_tmp_t:s0 /var/tmp/nfs_0 Which is correct. Maybe I got bitten by a busted policy at some point. Weird. |