Red Hat Bugzilla – Bug 162349
Policy prevents NFS exporting CDs
Last modified: 2007-11-30 17:11:09 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4
Description of problem:
When the targeted policy is loaded, the NFS daemon is denied access to iso9660_t, preventing it exporting mounted CDs or CD images. There also doesn't seem to be a way of disabling SELinux protection for NFS, whereas there is a way for all the other daemons.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Mount a CD.
2. Configure NFS to export the directory where the CD is mounted.
3. Enable targeted policy.
4. Mount the directory exported at (2) above from another machine.
Actual Results: AVC message in the audit log.
Expected Results: The directory should have been mounted.
Fixed in selinux-policy-targeted-1.24-3
I've just updated to selinux-policy-targeted-1.24-3 and retested this. I
haven't yet tried to export a mounted physical CD, but exporting mounted CD
images still doesn't work. I managed to get this working by adding
allow nfsd_t iso9660_t:dir getattr;
to my local policy. Hope this helps, let me know if you need more information
about my setup.
What is the current settings of your booleans?
getsebool -a | grep nfs
The NFS booleans are:
nfs_export_all_ro --> active
nfs_export_all_rw --> active
nfsd_disable_trans --> inactive
use_nfs_home_dirs --> inactive