Bug 801085

Summary: Unable to unmount an exported path which is a symlink using NFSv4
Product: Red Hat Enterprise Linux 6 Reporter: Dave Wysochanski <dwysocha>
Component: nfs-utilsAssignee: Steve Dickson <steved>
Status: CLOSED ERRATA QA Contact: yanfu,wang <yanwang>
Severity: high Docs Contact:
Priority: medium    
Version: 6.2CC: ddumas, dwalsh, mgrepl, mishu, yanwang
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: Regression
Fixed In Version: nfs-utils-1.2.3-22.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 15:08:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/audit/audit.log for checking failed mount symbolic link exports none

Description Dave Wysochanski 2012-03-07 16:19:22 UTC
Description of problem:
This is a regression - unable to umount a exported path which is a symlink.

Full description is in published article and below in reproduction steps:
https://access.redhat.com/knowledge/solutions/72203

Version-Release number of selected component (if applicable):
nfs-utils-1.2.3-15.el6.x86_64

Downgrading to nfs-utils-1.2.3-7.el6.x86_64 resolves the issue.

How reproducible:
Every time.

Steps to Reproduce:
NFS Server

# mkdir /export
# mkdir /export/foodir
# ln -s /export/foodir /export/foosymlink
# echo '/export *(ro)' > /etc/exports
# cat /etc/exports 
/export         *(ro)
    NFS CLIENT

    # mount -t nfs4 -v rhel6-nfs-server:/export/foosymlink/ /mnt/nfs         
    mount.nfs4: timeout set for Thu Feb 23 16:28:51 2012
    mount.nfs4: trying text-based options 'addr=192.168.122.121,clientaddr=192.168.122.120'
    rhel6-nfs-server:/export/foosymlink on /mnt/nfs type nfs4 (rw)

    # fgrep /export /etc/mtab /proc/mounts    
    /etc/mtab:rhel6-nfs-server:/export/foosymlink /mnt/nfs nfs4         rw,addr=192.168.122.121,clientaddr=192.168.122.120 0 0
    /proc/mounts:rhel6-nfs-server:/export/foodir /mnt/nfs nfs4 rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.122.120,minorversion=0,local_lock=none,addr=192.168.122.121 0 0

    # umount -v /mnt/nfs                   
    /mnt/nfs was not found in /proc/mounts
    /mnt/nfs was not found in /proc/mounts
    # 
    # fgrep /export /etc/mtab /proc/mounts    
    /etc/mtab:rhel6-nfs-server:/export/foosymlink /mnt/nfs nfs4         rw,addr=192.168.122.121,clientaddr=192.168.122.120 0 0
    /proc/mounts:rhel6-nfs-server:/export/foodir /mnt/nfs nfs4 rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.122.120,minorversion=0,local_lock=none,addr=192.168.122.121 0 0

    # umount.nfs /mnt/nfs/ -v     <===== This is the only way that works 
    Could not find /mnt/nfs/ in mtab
    /mnt/nfs/ umounted
    # fgrep /export /etc/mtab /proc/mounts    
    /etc/mtab:rhel6-nfs-server:/export/foosymlink /mnt/nfs nfs4 rw,addr=192.168.122.121,clientaddr=192.168.122.120 0 0 <====mount         is gone, but still in /etc/mtab
    # df -h
    Filesystem            Size  Used Avail Use% Mounted on
    /dev/mapper/VolGroup-lv_root
                          6.5G  5.5G  642M  90% /
    tmpfs                 246M     0  246M   0% /dev/shm
    /dev/vda1             485M  110M  351M  24% /boot
    rhel6-nfs-server:/export/foosymlink
                          6.5G  5.5G  642M  90% /mnt/nfs <====  after unmounting, still its there.
  
Actual results:
umount fails to unmount the volume

Expected results:
umount succeeding

Additional info:
I've narrowed the problem to nfs-utils somewhere between -7 and -12.  Confirmed downgrade to -7 fixes the problem.  Kernel doesn't have anything to do with it - strictly a nfs-utils bug.

This should be fairly straightforward to track down.

* Mon Sep 19 2011 Steve Dickson <steved> 1.2.3-12
- Removed the stripping of debugging information from rpcdebug (bz 729001)

* Fri Sep 16 2011 Steve Dickson <steved> 1.2.3-11
- mount.nfs: Fixed problem in mount error verbosity patch (bz 731693)

* Thu Sep 15 2011 Steve Dickson <steved> 1.2.3-10
- mount.nfs: add error verbosity to invalid versions (bz 731693)

* Tue Sep 13 2011 Steve Dickson <steved> 1.2.3-9
- umount.nfs: Got IPV6 unmounts working again (bz 732673)
- mountd: return multiple hosts exporting the same directory (bz 726112)
- mount: Better error message for invalid version (bz 723780)

* Thu Aug 11 2011 Steve Dickson <steved> 1.2.3-8
- initscripts: just try to mount rpc_pipefs always (bz 692702)
- Rely on crypto module autoloading in init scripts
- svcgssd: Document "-n" for svcgssd (bz 697359)
- mount.nfs: anticipate RLIMIT_FSIZE (bz 697981)
- exportfs manpage: Ipv6 update (bz 715078)
- mountd: Stop segfault in mtab code (bz 723438)
- exportfs: wilcards in exports can lead to unintended mounts (bz 715391)
- umount: allow spaces in unmount paths (bz 702273)
- specfile: reordered how libgssglue is linked in (bz 720479)

Comment 5 yanfu,wang 2012-05-07 06:31:22 UTC
The avc snippet log:
type=AVC msg=audit(1336372101.713:216): avc:  denied  { getattr } for  pid=7731 comm="rpc.mountd" path="/export/foosymlink" dev=dm-0 ino=2228227 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1336372101.713:216): arch=c000003e syscall=6 success=no exit=-13 a0=7fffbebc8c10 a1=7fffbebc8a10 a2=7fffbebc8a10 a3=ffffffffffffffa8 items=0 ppid=1 pid=7731 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(1336372101.714:217): avc:  denied  { read } for  pid=7731 comm="rpc.mountd" name="foosymlink" dev=dm-0 ino=2228227 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1336372101.714:217): arch=c000003e syscall=4 success=no exit=-13 a0=7f4d4c727bd0 a1=7fffbebc8b80 a2=7fffbebc8b80 a3=4000 items=0 ppid=1 pid=7731 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null)

Comment 6 yanfu,wang 2012-05-07 06:34:08 UTC
Created attachment 582536 [details]
/var/log/audit/audit.log for checking failed mount symbolic link exports

Comment 7 yanfu,wang 2012-05-07 06:44:59 UTC
(I added Daniel Walsh to CC list) 
hi Dan,
Could you help to look at comment #4 too?
when I tested using NFSv3 and NFSv2, mount.nfs got access denied with
symlink exports:
[root@sgi-xe320-01 ~]# mount -t nfs -o vers=3 localhost:/export/foosymlink/
/mnt
mount.nfs: access denied by server while mounting localhost:/export/foosymlink/

Mouting without symlink is ok:
[root@sgi-xe320-01 ~]# mount -t nfs -o vers=3 localhost:/export/ /mnt

Turn off selinux is ok too:
[root@sgi-xe320-01 ~]# setenforce 0
[root@sgi-xe320-01 ~]# mount -t nfs localhost:/export/foosymlink/ /mnt; echo $?
0

[root@sgi-xe320-01 ~]# ls -lZ /export/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 foodir
lrwxrwxrwx. root root unconfined_u:object_r:default_t:s0 foosymlink -> /export/foodir

And the /var/log/audit/audit.log pls check above comments, thanks.

Comment 8 Daniel Walsh 2012-05-07 14:12:14 UTC
chcon -t usr_t -r /export

Should fix.

Miroslav lets make the label of /export be usr_t.

Comment 9 yanfu,wang 2012-05-08 08:25:21 UTC
(In reply to comment #8)
> chcon -t usr_t -r /export
hi Daniel,
What's role followed by '-r'?
I run below and still got access denied:
# chcon -Rt usr_t /export/
# ls -lZ /export/
drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0   foodir
lrwxrwxrwx. root root unconfined_u:object_r:usr_t:s0   foosymlink -> /export/foodir
# mount -t nfs -o vers=3 localhost:/export/soft/ /mnt
mount.nfs: access denied by server while mounting localhost:/export/soft/

> 
> Should fix.
> 
> Miroslav lets make the label of /export be usr_t.
Could I confirm the above meaning?
If /export dir security context type should be usr_t when I create /export dir as export path?

Last question, is it selinux-policy component bug? If so, I will file a separate bug and stop discuss in this bug, thanks.

Comment 10 Daniel Walsh 2012-05-08 15:21:44 UTC
yanfu, yes -r just says recursive.  


If the mount command failed again what AVC did you see?

I believe this is an SELinux bug in that we should have labels for /export directory.

Comment 11 yanfu,wang 2012-05-09 03:11:32 UTC
(In reply to comment #10)
> yanfu, yes -r just says recursive.  
> 
> 
> If the mount command failed again what AVC did you see?
> 
> I believe this is an SELinux bug in that we should have labels for /export
> directory.

hi Daniel,
Thank you for your confirm.
I filed the SELinux bug https://bugzilla.redhat.com/show_bug.cgi?id=820057 to track on there. Since it's not related to this bug, so I will change the bug to VERIFIED.

Comment 12 errata-xmlrpc 2012-06-20 15:08:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0964.html