Bug 206056 - SELinux fails NFSv4 mounts
Summary: SELinux fails NFSv4 mounts
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy   
(Show other bugs)
Version: 5.0
Hardware: All Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-09-11 19:03 UTC by Steve Dickson
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: 5.0.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-28 21:23:47 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Steve Dickson 2006-09-11 19:03:21 UTC
Description of problem:
mount -t nfs4 causes the following error:

nfsopen: open(/var/lib/nfs/rpc_pipefs/nfs/clnt3/idmap): Permission denied



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Eric Paris 2006-09-11 19:55:30 UTC
I assume this is after the change in kernel to set it as S_IFIFO rather than
S_IFSOCK

In the future with selinux problems can you include any denials in either
/var/log/messages or /var/log/audit/audit.log ?

I suspect we just need to include

allow rpcd_t rpc_pipefs_t:fifo_file { read write };

in policy.  In BZ 204848 I have attached an selinux policy module which includes
that denial.  We may also need to go back through rpcidmapd policy and see if
the old policy for allowing sockets is still needed since things like
/var/lib/nfs/rpc_pipefs/nfs/clnt3/idmap are no longer sockets...   I don't know

Comment 2 Daniel Walsh 2006-09-11 20:24:22 UTC
Fixed in selinux-policy-2.3.13-3

Comment 4 Jeff Needle 2006-09-20 15:50:32 UTC
We don't have a RHEL5 beta2 yet.  Setting version to rhel5-beta1.


Note You need to log in before you can comment on or make changes to this bug.