Bug 271041 - SELinux is preventing the nfs daemon from allow remote clients to read local files.
SELinux is preventing the nfs daemon from allow remote clients to read local ...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.0
All All
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-31 08:36 EDT by manoj
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-31 08:48:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description manoj 2007-08-31 08:36:26 EDT
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:

I'm using third party GUI to manage services on RHEL5 box.When i Create NFS
shares using this GUI I get an Setroubleshoot alert which i'm pasting below.

Summary
    SELinux is preventing the nfs daemon from allow remote clients to read local
    files.

Detailed Description
    SELinux has preventing the nfs daemon (nfsd) from read files on the local
    system. If you have not exported any file systems, this could signals an
    intrusion.

Allowing Access
    If you want to export file systems using nfs you need to turn on the
    nfs_export_all_ro boolean: "setsebool -P nfs_export_all_ro=1".

    The following command will allow this access:
    setsebool -P nfs_export_all_ro=1

Additional Information

Source Context                system_u:system_r:nfsd_t
Target Context                system_u:system_r:unconfined_t
Target Objects                socket:[27319] [ unix_stream_socket ]
Affected RPM Packages         nfs-utils-1.0.9-16.el5 [application]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.nfs_export_all_ro
Host Name                     Rhel5.test.com
Platform                      Linux Rhel5.test.com 2.6.18-8.el5xen #1 SMP Fri
                              Jan 26 14:29:35 EST 2007 x86_64 x86_64
Alert Count                   3
Line Numbers

Raw Audit Messages

avc: denied { read, write } for comm="rpc.mountd" dev=sockfs egid=0 euid=0
exe="/usr/sbin/rpc.mountd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="[27320]"
path="socket:[27319]" pid=9202 scontext=system_u:system_r:nfsd_t:s0 sgid=0
subj=system_u:system_r:nfsd_t:s0 suid=0 tclass=unix_stream_socket
tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=0




Expected results:


Additional info: As per the alert info when i execute setsebool -P
nfs_export_all_ro=1 than too I'm getting the same alert.
Please also note that I don't have any problem in reading the NFS share from
client systems however.
Comment 1 Daniel Walsh 2007-08-31 08:48:33 EDT
This is happening because the tool that is running the nfs rpc.mountd is
reseting stdin/stdout to a unix_stream_socket.  The daemon is not allowed to
talk to this by SELinux.  The kernel closes the open descriptor and replaces it
with /dev/null.  Then runs the app.  You can add custom policy to make this go
ways by executing

grep rpc.mountd /var/log/audit/audit.log | audit2allow -M mynfsd
semodule -i mynfsd.pp

Comment 2 manoj 2007-09-03 01:45:08 EDT
Hi,

Thanks for quick response.
I tried the command  grep rpc.mountd /var/log/audit/audit.log | audit2allow -M
mynfsd semodule -i mynfsd.pp but I believe some parameter is missing in this as
it is not getting executed.
Comment 3 Daniel Walsh 2007-09-04 10:52:28 EDT
Those should be on two separate lines.
# grep rpc.mountd /var/log/audit/audit.log | audit2allow -M mynfsd
# semodule -i mynfsd.pp

Note You need to log in before you can comment on or make changes to this bug.