Description of problem: Seeing the following on one of our nfs servers: Aug 22 16:28:17 alexandria kernel: audit(1124749697.682:2652): avc: denied { getattr } for pid=2510 comm="rpc.rquotad" name="mtab" dev=dm-0 ino=87007 scontext=system_u:system_r:rpcd_t tcontext=root:object_r:etc_runtime_t tclass=file Aug 22 16:28:17 alexandria kernel: audit(1124749697.682:2653): avc: denied { search } for pid=2510 comm="rpc.rquotad" name="export" dev=dm-0 ino=96001 scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:user_home_t tclass=dir Aug 22 16:28:17 alexandria kernel: audit(1124749697.683:2654): avc: denied { getattr } for pid=2510 comm="rpc.rquotad" name="/" dev=hda5 ino=2 scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:user_home_t tclass=dir I don't implement quotas on this machine so I'm not sure if quota functionality is affected, but I'm hesitant to upgrade my fc3 server that does until this is resolved. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.25.3-12 How reproducible: everytime Steps to Reproduce: 1. run quota on a client while an nfs mount from the server is mounted.
How is rpc.rquotad labeled on your system. It is sbin_t on mine which means it would run as initrc_t. It probably needs a domain for itself to be properly protected. Dan
Ah, looks like it wasn't labeled properly: # fixfiles -R quota relabel /sbin/restorecon reset /usr/sbin/rpc.rquotad context system_u:object_r:rpcd_exec_t->system_u:object_r:sbin_t Restarted nfs and now I don't see the denied messages. Looks like it didn't get relabeled properly after the upgrade from FC3->FC4?