Bug 1371332 - SELinux is preventing nfs-server-gene from 'read' accesses on the file export_features.
Summary: SELinux is preventing nfs-server-gene from 'read' accesses on the file export...
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: x86_64
OS: Unspecified
low
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:b27fda12340feeed03e4763eae9...
Keywords:
: 1372394 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-29 23:46 UTC by David Highley
Modified: 2017-10-26 13:49 UTC (History)
25 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-11-10 03:29:53 UTC


Attachments (Terms of Use)

Description David Highley 2016-08-29 23:46:19 UTC
Description of problem:
Happened during a dnf update.
SELinux is preventing nfs-server-gene from 'read' accesses on the file export_features.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that nfs-server-gene should be allowed read access on the export_features file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nfs-server-gene' --raw | audit2allow -M my-nfsservergene
# semodule -X 300 -i my-nfsservergene.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:nfsd_fs_t:s0
Target Objects                export_features [ file ]
Source                        nfs-server-gene
Source Path                   nfs-server-gene
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-191.13.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.6.7-300.fc24.x86_64 #1 SMP Wed
                              Aug 17 18:48:43 UTC 2016 x86_64 x86_64
Alert Count                   3
First Seen                    2016-08-29 16:35:00 PDT
Last Seen                     2016-08-29 16:35:11 PDT
Local ID                      fbe7f255-528d-4cc6-bde9-9274a8aa1b7f

Raw Audit Messages
type=AVC msg=audit(1472513711.388:4041): avc:  denied  { read } for  pid=14495 comm="nfs-server-gene" name="export_features" dev="nfsd" ino=3 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=file permissive=0


Hash: nfs-server-gene,init_t,nfsd_fs_t,file,read

Version-Release number of selected component:
selinux-policy-3.13.1-191.13.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.6.7-300.fc24.x86_64
type:           libreport

Comment 1 Nivag 2016-08-30 03:06:28 UTC
Description of problem:
dnf just upgradednfs-utils.x86_64 1:1.3.4-1.rc2.fc24  


Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.6.7-300.fc24.x86_64
type:           libreport

Comment 2 Lukas Vrabec 2016-08-30 11:20:59 UTC
From which rpm package nfs-server-gene comes from? 

Thanks.

Comment 3 David Highley 2016-08-30 11:34:38 UTC
rpm -qa --filesbypkg | grep nfs-server-gene
nfs-utils                 /usr/lib/systemd/system-generators/nfs-server-generator

rpm -q nfs-utils
nfs-utils-1.3.4-1.rc2.fc24.x86_64

Looks like information is getting truncated in the AVC.

Comment 4 jniederm 2016-09-01 11:29:09 UTC
Description of problem:
sudo dnf update

Version-Release number of selected component:
selinux-policy-3.13.1-191.13.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.6.7-300.fc24.x86_64
type:           libreport

Comment 5 Rubén Lledó 2016-09-01 17:58:44 UTC
Description of problem:
I don't know.


Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.6.7-300.fc24.x86_64
type:           libreport

Comment 6 jniederm 2016-09-12 15:34:39 UTC
Description of problem:
$ sudo dnf update

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.6.7-300.fc24.x86_64
type:           libreport

Comment 7 Brian J. Murrell 2016-09-14 01:45:53 UTC
Description of problem:
Was upgrading packages

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.6.4-301.fc24.x86_64
type:           libreport

Comment 8 kartochka22 2016-09-14 10:46:08 UTC
Description of problem:
SElinux alert  after yum update --refresh, most probabyy during last check phase (or clearing, not sure)

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport

Comment 9 Terry A. Hurlbut 2016-09-14 19:46:25 UTC
Description of problem:
I ran a system update, and the denial came up. This has been happening with every update for at least a week.


Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport

Comment 10 Jeremy Harris 2016-09-14 20:22:52 UTC
Description of problem:
running "dnf update"

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport

Comment 11 Lukas Vrabec 2016-09-15 12:22:17 UTC
Please test: 

# chcon -t nfsd_exec_t /usr/lib/systemd/system-generators/nfs-server-generator

and then try to reproduce the issue. 

THanks.

Comment 12 Lukas Vrabec 2016-09-15 12:22:50 UTC
*** Bug 1372394 has been marked as a duplicate of this bug. ***

Comment 13 Terry A. Hurlbut 2016-09-16 22:54:20 UTC
Description of problem:
I ran the daily update, and got this alert somewhere in the process.


Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.3-200.fc24.x86_64
type:           libreport

Comment 14 Jorge Gallegos 2016-09-20 14:28:57 UTC
Description of problem:
Easiest to reproduce: install vagrant, edit config.vm.synced_folder to any synced folder, vagrant up.

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.3-200.fc24.x86_64
type:           libreport

Comment 15 jniederm 2016-09-27 15:24:29 UTC
Description of problem:
sudo dnf update

Version-Release number of selected component:
selinux-policy-3.13.1-191.16.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.4-200.fc24.x86_64
type:           libreport

Comment 16 Jorge Gallegos 2016-09-27 19:15:26 UTC
FWIW I believe my earlier assessment was wrong, it has nothing to do with vagrant, I just happened to be working on vagrant at the same time dnf was running. A later dnf update showed the same selinux warning.

Comment 17 Jeff Gehlbach 2016-10-08 15:04:30 UTC
I too initially suspected this denial was caused by use of Vagrant, for whatever it's worth. But it does seem to pop up whenever I dnf update.

Comment 18 jniederm 2016-10-17 13:51:51 UTC
Description of problem:
sudo dnf update

Version-Release number of selected component:
selinux-policy-3.13.1-191.18.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.6-200.fc24.x86_64
type:           libreport

Comment 19 Richard J. Turner 2016-10-20 10:02:59 UTC
Description of problem:
Tried to mount an NFS share to a Vagrant box.

Version-Release number of selected component:
selinux-policy-3.13.1-191.18.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.7-200.fc24.x86_64
type:           libreport

Comment 20 Jeff Needle 2016-10-21 12:39:11 UTC
Description of problem:
Every f24 update triggers this

Version-Release number of selected component:
selinux-policy-3.13.1-191.18.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.7-200.fc24.x86_64
type:           libreport

Comment 21 Fedora Update System 2016-11-04 12:11:44 UTC
selinux-policy-3.13.1-191.20.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3

Comment 22 Fedora Update System 2016-11-05 03:36:25 UTC
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3

Comment 23 Fedora Update System 2016-11-10 03:29:53 UTC
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.