Bug 437663 - Dbus isn't allowed to look at NFS-mounted home directories
Summary: Dbus isn't allowed to look at NFS-mounted home directories
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-03-15 22:25 UTC by Göran Uddeborg
Modified: 2008-11-10 13:40 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-11-10 13:40:05 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Göran Uddeborg 2008-03-15 22:25:51 UTC
Description of problem:
With home directories mounted via NFS, I get these errors:

Mar 15 23:01:59 freddi kernel: audit(1205618519.328:7): avc:  denied  { search }
for  pid=2500 comm="dbus-daemon" name="" dev=0:15 ino=5963786
scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:nfs_t:s0
tclass=dir

I get these errors although I do have the boolean to allow NFS home directories set:

freddi$ getsebool use_nfs_home_dirs
use_nfs_home_dirs --> on

freddi$ rpm -q selinux-policy selinux-policy-targeted
selinux-policy-3.0.8-93.fc8
selinux-policy-targeted-3.0.8-93.fc8

Comment 1 Daniel Walsh 2008-03-17 13:13:51 UTC
Any idea why the systembus would be looking in your home directories? 

You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Will be dontaudited in selinux-policy-3.0.8-94.fc8

Comment 2 Göran Uddeborg 2008-03-17 14:57:32 UTC
In order to answer your question, I have investigated this a bit further.  It
turns out tge systembus isn't actually looking in the home directories, it's
looking at /usr/local.  Which I also have NFS mounted on this host.  So while
nothing what I wrote in comment 0 is incorrect, it is misleading.

I still don't know why the systembus looks at /usr/local, but it seems to be a
reasonable thing for it to do.  So maybe it makes more sense for me to allow
this locally, rather than for the default policy to hide it.  I guess
NFS-mounted /usr/local isn't something that is expected by the default policy.

Sorry for the noise.


Note You need to log in before you can comment on or make changes to this bug.