Bug 801085
Summary: | Unable to unmount an exported path which is a symlink using NFSv4 | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Dave Wysochanski <dwysocha> | ||||
Component: | nfs-utils | Assignee: | Steve Dickson <steved> | ||||
Status: | CLOSED ERRATA | QA Contact: | yanfu,wang <yanwang> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 6.2 | CC: | ddumas, dwalsh, mgrepl, mishu, yanwang | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | Regression | ||||||
Fixed In Version: | nfs-utils-1.2.3-22.el6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-06-20 15:08:41 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Dave Wysochanski
2012-03-07 16:19:22 UTC
The avc snippet log: type=AVC msg=audit(1336372101.713:216): avc: denied { getattr } for pid=7731 comm="rpc.mountd" path="/export/foosymlink" dev=dm-0 ino=2228227 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1336372101.713:216): arch=c000003e syscall=6 success=no exit=-13 a0=7fffbebc8c10 a1=7fffbebc8a10 a2=7fffbebc8a10 a3=ffffffffffffffa8 items=0 ppid=1 pid=7731 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null) type=AVC msg=audit(1336372101.714:217): avc: denied { read } for pid=7731 comm="rpc.mountd" name="foosymlink" dev=dm-0 ino=2228227 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1336372101.714:217): arch=c000003e syscall=4 success=no exit=-13 a0=7f4d4c727bd0 a1=7fffbebc8b80 a2=7fffbebc8b80 a3=4000 items=0 ppid=1 pid=7731 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null) Created attachment 582536 [details]
/var/log/audit/audit.log for checking failed mount symbolic link exports
(I added Daniel Walsh to CC list) hi Dan, Could you help to look at comment #4 too? when I tested using NFSv3 and NFSv2, mount.nfs got access denied with symlink exports: [root@sgi-xe320-01 ~]# mount -t nfs -o vers=3 localhost:/export/foosymlink/ /mnt mount.nfs: access denied by server while mounting localhost:/export/foosymlink/ Mouting without symlink is ok: [root@sgi-xe320-01 ~]# mount -t nfs -o vers=3 localhost:/export/ /mnt Turn off selinux is ok too: [root@sgi-xe320-01 ~]# setenforce 0 [root@sgi-xe320-01 ~]# mount -t nfs localhost:/export/foosymlink/ /mnt; echo $? 0 [root@sgi-xe320-01 ~]# ls -lZ /export/ drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 foodir lrwxrwxrwx. root root unconfined_u:object_r:default_t:s0 foosymlink -> /export/foodir And the /var/log/audit/audit.log pls check above comments, thanks. chcon -t usr_t -r /export Should fix. Miroslav lets make the label of /export be usr_t. (In reply to comment #8) > chcon -t usr_t -r /export hi Daniel, What's role followed by '-r'? I run below and still got access denied: # chcon -Rt usr_t /export/ # ls -lZ /export/ drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 foodir lrwxrwxrwx. root root unconfined_u:object_r:usr_t:s0 foosymlink -> /export/foodir # mount -t nfs -o vers=3 localhost:/export/soft/ /mnt mount.nfs: access denied by server while mounting localhost:/export/soft/ > > Should fix. > > Miroslav lets make the label of /export be usr_t. Could I confirm the above meaning? If /export dir security context type should be usr_t when I create /export dir as export path? Last question, is it selinux-policy component bug? If so, I will file a separate bug and stop discuss in this bug, thanks. yanfu, yes -r just says recursive. If the mount command failed again what AVC did you see? I believe this is an SELinux bug in that we should have labels for /export directory. (In reply to comment #10) > yanfu, yes -r just says recursive. > > > If the mount command failed again what AVC did you see? > > I believe this is an SELinux bug in that we should have labels for /export > directory. hi Daniel, Thank you for your confirm. I filed the SELinux bug https://bugzilla.redhat.com/show_bug.cgi?id=820057 to track on there. Since it's not related to this bug, so I will change the bug to VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0964.html |