Description of problem: Tried to mount NFSv4 share, sec=krb5 SELinux is preventing nfsidmap from 'read' accesses on the directory userdb. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that nfsidmap should be allowed read access on the userdb directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'nfsidmap' --raw | audit2allow -M my-nfsidmap # semodule -X 300 -i my-nfsidmap.pp Additional Information: Source Context system_u:system_r:nfsidmap_t:s0 Target Context system_u:object_r:systemd_userdbd_runtime_t:s0 Target Objects userdb [ dir ] Source nfsidmap Source Path nfsidmap Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.8-2.fc38.noarch Local Policy RPM selinux-policy-targeted-38.8-2.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.2.7-300.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Mar 17 16:02:49 UTC 2023 x86_64 Alert Count 21 First Seen 2023-03-18 14:14:05 GMT Last Seen 2023-03-21 21:08:16 GMT Local ID dbe72d20-8c09-44fc-b96a-8f4b4b845832 Raw Audit Messages type=AVC msg=audit(1679432896.347:251): avc: denied { read } for pid=3812 comm="nfsidmap" name="userdb" dev="tmpfs" ino=43 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0 Hash: nfsidmap,nfsidmap_t,systemd_userdbd_runtime_t,dir,read Version-Release number of selected component: selinux-policy-targeted-38.8-2.fc38.noarch Additional info: reporter: libreport-2.17.8 reason: SELinux is preventing nfsidmap from 'read' accesses on the directory userdb. package: selinux-policy-targeted-38.8-2.fc38.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.2.7-300.fc38.x86_64 comment: Tried to mount NFSv4 share, sec=krb5 component: selinux-policy
Created attachment 1952535 [details] File: description
Created attachment 1952536 [details] File: os_info
I just wanted to add some related AVCs that I see when attempting to access an home directory mounted over NFS4 with sec=krb5p. The user database is in LDAP and this is mediated via SSSD. In enforcing mode, the end result is that the user can log in, but the ownership of all files appears as "nobody:nobody". Note that these AVCs were collected after running setenforce 0. It appears that several SSSD operations would need to be allowed. time->Mon May 1 21:33:14 2023 type=AVC msg=audit(1682994794.749:202): avc: denied { search } for pid=1718 comm="nfsidmap" name="sss" dev="dm-1" ino=148 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1 ---- time->Mon May 1 21:33:14 2023 type=AVC msg=audit(1682994794.749:203): avc: denied { read } for pid=1718 comm="nfsidmap" name="passwd" dev="dm-1" ino=190 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 ---- time->Mon May 1 21:33:14 2023 type=AVC msg=audit(1682994794.749:204): avc: denied { open } for pid=1718 comm="nfsidmap" path="/var/lib/sss/mc/passwd" dev="dm-1" ino=190 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 ---- time->Mon May 1 21:33:14 2023 type=AVC msg=audit(1682994794.749:205): avc: denied { getattr } for pid=1718 comm="nfsidmap" path="/var/lib/sss/mc/passwd" dev="dm-1" ino=190 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 ---- time->Mon May 1 21:33:14 2023 type=AVC msg=audit(1682994794.749:206): avc: denied { map } for pid=1718 comm="nfsidmap" path="/var/lib/sss/mc/passwd" dev="dm-1" ino=190 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 ---- time->Mon May 1 21:33:14 2023 type=AVC msg=audit(1682994794.750:207): avc: denied { write } for pid=1719 comm="nfsidmap" name="nss" dev="dm-1" ino=8401893 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 ---- time->Mon May 1 21:33:14 2023 type=AVC msg=audit(1682994794.750:208): avc: denied { connectto } for pid=1719 comm="nfsidmap" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
*** Bug 2188783 has been marked as a duplicate of this bug. ***
*** Bug 2192241 has been marked as a duplicate of this bug. ***
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/1673 Please try the scratchbuild Checks -> Artifacts -> rpms.zip to see if the update is sufficient.
*** Bug 2190385 has been marked as a duplicate of this bug. ***
*** Bug 2196911 has been marked as a duplicate of this bug. ***
*** Bug 2180608 has been marked as a duplicate of this bug. ***
(In reply to Zdenek Pytela from comment #6) > I've submitted a Fedora PR to address the issue: > https://github.com/fedora-selinux/selinux-policy/pull/1673 > > Please try the scratchbuild > Checks -> Artifacts -> rpms.zip > > to see if the update is sufficient. This update fixes the issue for me. Thank you!
FEDORA-2023-a19eb5132c has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a19eb5132c
FEDORA-2023-a19eb5132c has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a19eb5132c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a19eb5132c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-a19eb5132c has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.