Description of problem: Version-Release number of selected component (if applicable): How reproducible: I'm using third party GUI to manage services on RHEL5 box.When i Create NFS shares using this GUI I get an Setroubleshoot alert which i'm pasting below. Summary SELinux is preventing the nfs daemon from allow remote clients to read local files. Detailed Description SELinux has preventing the nfs daemon (nfsd) from read files on the local system. If you have not exported any file systems, this could signals an intrusion. Allowing Access If you want to export file systems using nfs you need to turn on the nfs_export_all_ro boolean: "setsebool -P nfs_export_all_ro=1". The following command will allow this access: setsebool -P nfs_export_all_ro=1 Additional Information Source Context system_u:system_r:nfsd_t Target Context system_u:system_r:unconfined_t Target Objects socket:[27319] [ unix_stream_socket ] Affected RPM Packages nfs-utils-1.0.9-16.el5 [application] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.nfs_export_all_ro Host Name Rhel5.test.com Platform Linux Rhel5.test.com 2.6.18-8.el5xen #1 SMP Fri Jan 26 14:29:35 EST 2007 x86_64 x86_64 Alert Count 3 Line Numbers Raw Audit Messages avc: denied { read, write } for comm="rpc.mountd" dev=sockfs egid=0 euid=0 exe="/usr/sbin/rpc.mountd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="[27320]" path="socket:[27319]" pid=9202 scontext=system_u:system_r:nfsd_t:s0 sgid=0 subj=system_u:system_r:nfsd_t:s0 suid=0 tclass=unix_stream_socket tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=0 Expected results: Additional info: As per the alert info when i execute setsebool -P nfs_export_all_ro=1 than too I'm getting the same alert. Please also note that I don't have any problem in reading the NFS share from client systems however.
This is happening because the tool that is running the nfs rpc.mountd is reseting stdin/stdout to a unix_stream_socket. The daemon is not allowed to talk to this by SELinux. The kernel closes the open descriptor and replaces it with /dev/null. Then runs the app. You can add custom policy to make this go ways by executing grep rpc.mountd /var/log/audit/audit.log | audit2allow -M mynfsd semodule -i mynfsd.pp
Hi, Thanks for quick response. I tried the command grep rpc.mountd /var/log/audit/audit.log | audit2allow -M mynfsd semodule -i mynfsd.pp but I believe some parameter is missing in this as it is not getting executed.
Those should be on two separate lines. # grep rpc.mountd /var/log/audit/audit.log | audit2allow -M mynfsd # semodule -i mynfsd.pp