2184456 – avc: denied { getattr } comm="nfsd" tcontext=system_u:object_r:tmpfs_t:s0

Bug 2184456 - avc: denied { getattr } comm="nfsd" tcontext=system_u:object_r:tmpfs_t:s0

Summary: avc: denied { getattr } comm="nfsd" tcontext=system_u:object_r:tmpfs_t:s0

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	39
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-04-04 18:34 UTC by François Rigault
Modified:	2023-08-16 07:13 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	---
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description François Rigault 2023-04-04 18:34:19 UTC

Description of problem:
added an nfs share to expose a folder under /tmp. It works well but stat -f fails on the mount:
stat: cannot read file system information for '/mnt/nfs': Input/output error
and an AVC is logged

Version-Release number of selected component (if applicable):
selinux-policy-38.9-1.fc39.noarch

How reproducible:
all the time

Steps to Reproduce:
1. define an nfs export
/tmp/todel 127.0.0.1(rw,all_squash,anonuid=12345,anongid=12346,sec=sys)
2. mount it
mount 127.0.0.1:/tmp/todel /mnt/nfs  -t nfs -o nfsvers=3 -o sec=sys 
3. access it with stat -f:
$ stat -f /mnt/nfs
stat: cannot read file system information for '/mnt/nfs': Input/output error
also from podman
$ podman run -v /mnt/nfs:/nas --rm -ti registry.fedoraproject.org/fedora:37 bash
Error: statfs /mnt/nfs: input/output error


Actual results:
# ausearch -m AVC -ts  recent | audit2why
type=AVC msg=audit(1680632459.060:1061): avc:  denied  { getattr } for  pid=1635 comm="nfsd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.


Expected results:
should work I think

Additional info:
# sesearch -A -s kernel_t -c filesystem
allow domain proc_t:filesystem getattr;
allow domain security_t:filesystem getattr;
allow domain sysfs_t:filesystem getattr;
allow kernel_t filesystem_type:filesystem { mount unmount };
allow kernel_t fs_t:filesystem getattr;
allow kernel_t noxattrfs:filesystem getattr; [ nfs_export_all_ro ]:True
allow kernel_t noxattrfs:filesystem getattr; [ nfs_export_all_rw ]:True


# seinfo -t tmpfs_t -x

Types: 1
   type tmpfs_t alias ramfs_t, file_type, filesystem_type, mountpoint, non_auth_file_type, non_security_file_type, polyparent;
# seinfo -t fs_t -x

Types: 1
   type fs_t alias { cephfs_t vxfs_t inotifyfs_t }, filesystem_type;


I don't understand why it fails for a tmpfs_t folder, but works for non tmpfs_t folder.

Comment 1 Fedora Release Engineering 2023-08-16 07:13:06 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.

Note You need to log in before you can comment on or make changes to this bug.