Bug 166577 - avc denied messages for rpc.rquotad
avc denied messages for rpc.rquotad
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-23 11:13 EDT by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: FC4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-19 14:34:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2005-08-23 11:13:44 EDT
Description of problem:
Seeing the following on one of our nfs servers:

Aug 22 16:28:17 alexandria kernel: audit(1124749697.682:2652): avc:  denied  {
getattr } for  pid=2510 comm="rpc.rquotad" name="mtab" dev=dm-0 ino=87007
scontext=system_u:system_r:rpcd_t tcontext=root:object_r:etc_runtime_t tclass=file
Aug 22 16:28:17 alexandria kernel: audit(1124749697.682:2653): avc:  denied  {
search } for  pid=2510 comm="rpc.rquotad" name="export" dev=dm-0 ino=96001
scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:user_home_t tclass=dir
Aug 22 16:28:17 alexandria kernel: audit(1124749697.683:2654): avc:  denied  {
getattr } for  pid=2510 comm="rpc.rquotad" name="/" dev=hda5 ino=2
scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:user_home_t tclass=dir

I don't implement quotas on this machine so I'm not sure if quota functionality
is affected, but I'm hesitant to upgrade my fc3 server that does until this is
resolved.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.3-12

How reproducible:
everytime

Steps to Reproduce:
1. run quota on a client while an nfs mount from the server is mounted.
Comment 1 Daniel Walsh 2005-08-25 09:14:26 EDT
How is rpc.rquotad labeled on your system.  It is sbin_t on mine which means it
would run as initrc_t.  It probably needs a domain for itself to be properly
protected.

Dan
Comment 2 Orion Poplawski 2005-08-25 10:37:50 EDT
Ah, looks like it wasn't labeled properly:

# fixfiles -R quota relabel
/sbin/restorecon reset /usr/sbin/rpc.rquotad context
system_u:object_r:rpcd_exec_t->system_u:object_r:sbin_t

Restarted nfs and now I don't see the denied messages.

Looks like it didn't get relabeled properly after the upgrade from FC3->FC4?

Note You need to log in before you can comment on or make changes to this bug.