User and Group on nfs-mounts don't show (only nobody). Disabling selinux helps. type=AVC msg=audit(1682593788.415:45): avc: denied { name_bind } for pid=633 comm="rpcbind" src=61459 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=1 type=AVC msg=audit(1682593835.275:157): avc: denied { search } for pid=1191 comm="nfsidmap" name="sss" dev="sda1" ino=2490407 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1682593835.275:158): avc: denied { read } for pid=1191 comm="nfsidmap" name="passwd" dev="sda1" ino=2490594 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1682593835.275:159): avc: denied { open } for pid=1191 comm="nfsidmap" path="/var/lib/sss/mc/passwd" dev="sda1" ino=2490594 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1682593835.275:160): avc: denied { getattr } for pid=1191 comm="nfsidmap" path="/var/lib/sss/mc/passwd" dev="sda1" ino=2490594 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1682593835.275:161): avc: denied { map } for pid=1191 comm="nfsidmap" path="/var/lib/sss/mc/passwd" dev="sda1" ino=2490594 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1682593835.277:162): avc: denied { write } for pid=1192 comm="nfsidmap" name="nss" dev="sda1" ino=2490577 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1682593835.277:163): avc: denied { connectto } for pid=1192 comm="nfsidmap" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1682593844.040:186): avc: denied { search } for pid=1242 comm="nfsidmap" name="sss" dev="sda1" ino=2490407 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1682593844.040:187): avc: denied { read } for pid=1242 comm="nfsidmap" name="passwd" dev="sda1" ino=2490594 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1682593844.040:188): avc: denied { open } for pid=1242 comm="nfsidmap" path="/var/lib/sss/mc/passwd" dev="sda1" ino=2490594 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1682593844.040:189): avc: denied { getattr } for pid=1242 comm="nfsidmap" path="/var/lib/sss/mc/passwd" dev="sda1" ino=2490594 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1682593844.040:190): avc: denied { map } for pid=1242 comm="nfsidmap" path="/var/lib/sss/mc/passwd" dev="sda1" ino=2490594 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Reproducible: Always Steps to Reproduce: 1. Freshly install (or update from F37/36) Fedora 38 2. Configure sssd to use IPA-Server 3. Configure automount or mount directly Actual Results: User and group from sssd are not showing Expected Results: User and group from ssd are shown correctly. Workaround: ``` module my-nfsidmap 1.0; require { type nfsidmap_t; type systemd_userdbd_runtime_t; type sssd_var_lib_t; type sssd_public_t; type sssd_t; class dir { read search }; class sock_file write; class file { getattr map open read }; class unix_stream_socket connectto; } #============= nfsidmap_t ============== allow nfsidmap_t sssd_public_t:file { getattr open read }; #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow nfsidmap_t sssd_public_t:file map; allow nfsidmap_t sssd_t:unix_stream_socket connectto; allow nfsidmap_t sssd_var_lib_t:sock_file write; allow nfsidmap_t sssd_var_lib_t:dir search; allow nfsidmap_t systemd_userdbd_runtime_t:dir read; ```
For additional information, with the above policy applied on F38, I still see: type=AVC msg=audit(1683678798.554:1347): avc: denied { read } for pid=59235 comm="nfsidmap" name="io.systemd.DropIn" dev="tmpfs" ino=651 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=lnk_file permissive=0 # ll -Z /run/systemd/userdb total 0 lrwxrwxrwx. 1 root root system_u:object_r:systemd_userdbd_runtime_t:s0 42 May 8 16:58 io.systemd.DropIn -> /run/systemd/userdb/io.systemd.Multiplexer srw-rw-rw-. 1 root root system_u:object_r:systemd_userdbd_runtime_t:s0 0 May 8 16:58 io.systemd.DynamicUser srw-rw-rw-. 1 root root system_u:object_r:systemd_userdbd_runtime_t:s0 0 May 8 16:59 io.systemd.Home srw-rw-rw-. 1 root root system_u:object_r:systemd_userdbd_runtime_t:s0 0 May 9 19:07 io.systemd.Machine srw-rw-rw-. 1 root root system_u:object_r:systemd_userdbd_runtime_t:s0 0 May 8 16:58 io.systemd.Multiplexer lrwxrwxrwx. 1 root root system_u:object_r:systemd_userdbd_runtime_t:s0 42 May 8 16:58 io.systemd.NameServiceSwitch -> /run/systemd/userdb/io.systemd.Multiplexer
The following is what's recommended (when things are in enforcing mode) # ausearch -m avc -ts recent | audit2allow #============= nfsidmap_t ============== allow nfsidmap_t systemd_userdbd_runtime_t:lnk_file read; allow nfsidmap_t systemd_userdbd_runtime_t:sock_file write;
*** This bug has been marked as a duplicate of bug 2180611 ***