Description of problem: ganesha's current targeted policy was originally taken from rhel which was written for ganesha running as part of downstream RHGS (gluster). Now we are seeing more people running ganesha's FSAL_VFS using local disk as backing store instead of Gluster and are seeing AVC denials during its start-up when it scans all the local file systems. This is a necessary step that is required to implement NFSv4's Pseudo feature. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: ganesha's current selinux policy files can be found at https://github.com/nfs-ganesha/nfs-ganesha/tree/next/src/selinux audit2allow output: $ cat /tmp/audit2allow.out #============= ganesha_t ============== allow ganesha_t apm_bios_t:chr_file getattr; allow ganesha_t autofs_device_t:chr_file getattr; allow ganesha_t bpf_t:dir getattr; allow ganesha_t bpf_t:filesystem getattr; allow ganesha_t cgroup_t:dir getattr; allow ganesha_t cgroup_t:filesystem getattr; allow ganesha_t clock_device_t:chr_file getattr; allow ganesha_t configfs_t:dir getattr; allow ganesha_t configfs_t:filesystem getattr; allow ganesha_t cpu_device_t:chr_file getattr; allow ganesha_t debugfs_t:filesystem getattr; allow ganesha_t device_t:chr_file getattr; allow ganesha_t device_t:filesystem getattr; allow ganesha_t devpts_t:filesystem getattr; allow ganesha_t dri_device_t:chr_file getattr; allow ganesha_t event_device_t:chr_file getattr; allow ganesha_t fixed_disk_device_t:blk_file { getattr ioctl open read }; allow ganesha_t fixed_disk_device_t:chr_file getattr; allow ganesha_t framebuf_device_t:chr_file getattr; allow ganesha_t fs_t:filesystem getattr; allow ganesha_t hugetlbfs_t:dir { getattr open read }; allow ganesha_t hugetlbfs_t:filesystem getattr; allow ganesha_t initctl_t:fifo_file getattr; #!!!! This avc can be allowed using the boolean 'domain_can_write_kmsg' allow ganesha_t kmsg_device_t:chr_file getattr; allow ganesha_t kvm_device_t:chr_file getattr; allow ganesha_t lvm_control_t:chr_file getattr; allow ganesha_t memory_device_t:chr_file getattr; allow ganesha_t mouse_device_t:chr_file getattr; allow ganesha_t netcontrol_device_t:chr_file getattr; allow ganesha_t nvram_device_t:chr_file getattr; allow ganesha_t proc_kcore_t:file getattr; allow ganesha_t proc_t:filesystem getattr; allow ganesha_t pstore_t:dir getattr; allow ganesha_t pstore_t:filesystem getattr; allow ganesha_t ptmx_t:chr_file getattr; allow ganesha_t removable_device_t:blk_file getattr; allow ganesha_t rpc_pipefs_t:dir getattr; allow ganesha_t rpc_pipefs_t:filesystem getattr; allow ganesha_t scsi_generic_device_t:chr_file getattr; allow ganesha_t sound_device_t:chr_file getattr; allow ganesha_t sysfs_t:dir read; allow ganesha_t sysfs_t:file { getattr open read }; allow ganesha_t sysfs_t:filesystem getattr; allow ganesha_t sysfs_t:lnk_file read; allow ganesha_t tmpfs_t:dir read; allow ganesha_t tmpfs_t:filesystem getattr; allow ganesha_t usb_device_t:chr_file getattr; allow ganesha_t usbmon_device_t:chr_file getattr; allow ganesha_t virtio_device_t:chr_file getattr; allow ganesha_t watchdog_device_t:chr_file getattr; allow ganesha_t xserver_misc_device_t:chr_file getattr; #============= init_t ============== allow init_t ganesha_var_log_t:dir setattr; allow init_t var_lib_nfs_t:dir create; #============= rpcbind_t ============== #!!!! This avc can be allowed using the boolean 'nis_enabled' allow rpcbind_t unreserved_port_t:udp_socket name_bind;
Created attachment 1650396 [details] excerpt of audit.log
bugzilla hiccoughed and duped the bz *** This bug has been marked as a duplicate of bug 1788541 ***