Bug 1516593 - avc: denied { write } for comm="rpc.nfsd" name="nlm_grace_period" dev="proc" ino=54559 when setting lockd.conf
Summary: avc: denied { write } for comm="rpc.nfsd" name="nlm_grace_period" dev="proc" ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-23 03:11 UTC by Yongcheng Yang
Modified: 2018-10-30 10:01 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.13.1-197.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:01:27 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:01:53 UTC

Description Yongcheng Yang 2017-11-23 03:11:37 UTC
Description of problem:
If setting both "NFSD_V4_GRACE" (in /etc/sysconfig/nfs) and
"nlm_grace_period" (in /etc/modprobe.d/lockd.conf) and then
start nfs.service, there always be an "avc denied" warning:

type=AVC msg=audit(1511423930.038:405): avc:  denied  { write } for  pid=4631 comm="rpc.nfsd" name="nlm_grace_period" dev="proc" ino=54559 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-175.el7

How reproducible:
100% easy

Steps to Reproduce:
1. Uncomment "NFSD_V4_GRACE" of /etc/sysconfig/nfs
2. Uncomment "nlm_grace_period" of /etc/modprobe.d/lockd.conf
3. systemctl restart nfs
4. cat /var/log/audit/audit.log | grep denied

Actual results:
[root@test_machine~]# vi /etc/sysconfig/nfs
[root@test_machine~]# cat /etc/sysconfig/nfs
NFSD_V4_GRACE=90
[root@test_machine~]# 
[root@test_machine~]# vi /etc/modprobe.d/lockd.conf
[root@test_machine~]# cat /etc/modprobe.d/lockd.conf
options lockd nlm_grace_period=90
[root@test_machine~]# 
[root@test_machine~]# > /var/log/audit/audit.log
[root@test_machine~]# systemctl restart nfs
[root@test_machine~]# cat /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1511424159.311:1395): avc:  denied  { write } for  pid=25248 comm="rpc.nfsd" name="nlm_grace_period" dev="proc" ino=120089 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file
[root@test_machine~]# 
[root@test_machine~]# rpm -q selinux-policy
selinux-policy-3.13.1-175.el7.noarch
[root@test_machine~]# 

Expected results:
No "avc denied"

Additional info:
As this issue also exists in rhel-7.4, it's not a regression.

Comment 1 Milos Malik 2017-11-23 07:55:07 UTC
Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(11/23/2017 02:52:35.706:391) : proctitle=/usr/sbin/rpc.nfsd -G 90 8 
type=PATH msg=audit(11/23/2017 02:52:35.706:391) : item=0 name=/proc/sys/fs/nfs/nlm_grace_period inode=36122 dev=00:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_fs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(11/23/2017 02:52:35.706:391) : cwd=/var/lib/nfs 
type=SYSCALL msg=audit(11/23/2017 02:52:35.706:391) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x562214c496b0 a1=O_WRONLY a2=0x0 a3=0x8 items=1 ppid=1 pid=15695 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.nfsd exe=/usr/sbin/rpc.nfsd subj=system_u:system_r:nfsd_t:s0 key=(null) 
type=AVC msg=audit(11/23/2017 02:52:35.706:391) : avc:  denied  { write } for  pid=15695 comm=rpc.nfsd name=nlm_grace_period dev="proc" ino=36122 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0 
----

The same SELinux denial appeared in permissive mode:
----
type=PROCTITLE msg=audit(11/23/2017 02:53:24.306:413) : proctitle=/usr/sbin/rpc.nfsd -G 90 8 
type=PATH msg=audit(11/23/2017 02:53:24.306:413) : item=0 name=/proc/sys/fs/nfs/nlm_grace_period inode=36122 dev=00:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_fs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(11/23/2017 02:53:24.306:413) : cwd=/var/lib/nfs 
type=SYSCALL msg=audit(11/23/2017 02:53:24.306:413) : arch=x86_64 syscall=open success=yes exit=3 a0=0x55df6fc886b0 a1=O_WRONLY a2=0x0 a3=0x8 items=1 ppid=1 pid=15744 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.nfsd exe=/usr/sbin/rpc.nfsd subj=system_u:system_r:nfsd_t:s0 key=(null) 
type=AVC msg=audit(11/23/2017 02:53:24.306:413) : avc:  denied  { write } for  pid=15744 comm=rpc.nfsd name=nlm_grace_period dev="proc" ino=36122 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 
----

Comment 2 Milos Malik 2017-11-23 08:00:22 UTC
# rpm -qa selinux\*
selinux-policy-targeted-3.13.1-175.el7.noarch
selinux-policy-3.13.1-175.el7.noarch
# sesearch -s nfsd_t -t sysctl_fs_t -c file -A -C -D
Found 1 semantic av rules:
ET allow nfsd_t non_security_file_type : file { ioctl read getattr lock open } ; [ nfs_export_all_ro ]

#

The write permission is neither allowed nor dontaudit-ed.

Comment 9 errata-xmlrpc 2018-10-30 10:01:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.