Description of problem: Running FreeIPA (4.9.10) on my network connecting to an NFS 4.2 share on Rocky Linux v8.7 using Kerberos (krb5i/krb5p) encryption. The share is mounted using autofs When accessing permissions for files and folders, they appear to either belong to root or nobody. /etc/exports on file server: /NAS_Shares *(ro,sec=sys:krb5i:krb5p,fsid=0) /NAS_Shares/Storage *(rw,sec=krb5i:krb5p) /etc/auto.misc on local Fedora 38 machine: Storage -fstype=nfs4,vers=4.2,sec=krb5i (removed):/Storage Logs are filled with the following when trying to access a share: Apr 30 13:37:25 (removed) audit[40130]: AVC avc: denied { search } for pid=40130 comm="nfsidmap" name="sss" dev="dm-0" ino=2101864 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 Apr 30 13:37:25 (removed) audit[40130]: AVC avc: denied { read } for pid=40130 comm="nfsidmap" name="userdb" dev="tmpfs" ino=36 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0 SELinux is preventing nfsidmap from 'search' accesses on the directory /var/lib/sss. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that nfsidmap should be allowed search access on the sss directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'nfsidmap' --raw | audit2allow -M my-nfsidmap # semodule -X 300 -i my-nfsidmap.pp Additional Information: Source Context system_u:system_r:nfsidmap_t:s0 Target Context system_u:object_r:sssd_var_lib_t:s0 Target Objects /var/lib/sss [ dir ] Source nfsidmap Source Path nfsidmap Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages sssd-common-2.8.2-4.fc38.x86_64 SELinux Policy RPM selinux-policy-targeted-38.10-1.fc38.noarch Local Policy RPM selinux-policy-targeted-38.10-1.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.2.11-300.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Apr 13 20:27:09 UTC 2023 x86_64 Alert Count 240 First Seen 2023-04-18 18:45:08 MDT Last Seen 2023-04-29 17:48:52 MDT Local ID 97b36a76-af73-4d16-b197-9418f3b57f73 Raw Audit Messages type=AVC msg=audit(1682812132.584:560): avc: denied { search } for pid=17509 comm="nfsidmap" name="sss" dev="dm-0" ino=2101864 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 Hash: nfsidmap,nfsidmap_t,sssd_var_lib_t,dir,search Version-Release number of selected component: selinux-policy-targeted-38.10-1.fc38.noarch Additional info: reporter: libreport-2.17.9 reason: SELinux is preventing nfsidmap from 'search' accesses on the directory /var/lib/sss and 'read' access on userdb package: selinux-policy-targeted-38.10-1.fc38.noarch kernel: 6.2.11-300.fc38.x86_64 hashmarkername: setroubleshoot type: libreport component: selinux-policy component: selinux-policy
Created attachment 1961291 [details] File: os_info
Created attachment 1961292 [details] File: description
*** This bug has been marked as a duplicate of bug 2180611 ***