Bug 206056 - SELinux fails NFSv4 mounts
SELinux fails NFSv4 mounts
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-11 15:03 EDT by Steve Dickson
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: 5.0.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-28 16:23:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steve Dickson 2006-09-11 15:03:21 EDT
Description of problem:
mount -t nfs4 causes the following error:

nfsopen: open(/var/lib/nfs/rpc_pipefs/nfs/clnt3/idmap): Permission denied



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Eric Paris 2006-09-11 15:55:30 EDT
I assume this is after the change in kernel to set it as S_IFIFO rather than
S_IFSOCK

In the future with selinux problems can you include any denials in either
/var/log/messages or /var/log/audit/audit.log ?

I suspect we just need to include

allow rpcd_t rpc_pipefs_t:fifo_file { read write };

in policy.  In BZ 204848 I have attached an selinux policy module which includes
that denial.  We may also need to go back through rpcidmapd policy and see if
the old policy for allowing sockets is still needed since things like
/var/lib/nfs/rpc_pipefs/nfs/clnt3/idmap are no longer sockets...   I don't know
Comment 2 Daniel Walsh 2006-09-11 16:24:22 EDT
Fixed in selinux-policy-2.3.13-3
Comment 4 Jeff Needle 2006-09-20 11:50:32 EDT
We don't have a RHEL5 beta2 yet.  Setting version to rhel5-beta1.

Note You need to log in before you can comment on or make changes to this bug.