Red Hat Bugzilla – Bug 442916
SELinux is preventing rpc.mountd (nfsd_t) "getattr" to /dev/oprofile (oprofilefs_t).
Last modified: 2015-05-04 21:33:52 EDT
Description of problem: I'm copying files from one NFS system to another. The target one is actually located on my machine, but I guess that shouldn't matter. Every once in a while (like for example every ten minutes or so), I get the following AVC denial: SELinux is preventing rpc.mountd (nfsd_t) "getattr" to /dev/oprofile (oprofilefs_t). Raw audit messages: host=hridell.englab.brq.redhat.com type=AVC msg=audit(1208445955.446:8165): avc: denied { getattr } for pid=10637 comm="rpc.mountd" path="/dev/oprofile" dev=oprofilefs ino=21370657 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:oprofilefs_t:s0 tclass=dir host=hridell.englab.brq.redhat.com type=SYSCALL msg=audit(1208445955.446:8165): arch=40000003 syscall=195 success=no exit=-13 a0=bfbfbfd4 a1=bfbfbeb0 a2=294ff4 a3=3 items=0 ppid=1 pid=10637 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null) The context of /dev/oprofile is system_u:object_r:oprofilefs_t, which looks OK to me. In any case I don't know if rpc.mountd is even supposed to touch /dev/oprofile. Isn't this a bug? I've found another bug similar to this one, #247157, which was resolved by fixing the policy. I'm not sure this is relevant in this case, oprofilefs_t seems "right" to me. Version-Release number of selected component (if applicable): nfs-utils-1.1.0-6.fc8 sestatus gives me this: # /usr/sbin/sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted Steps to Reproduce: 1. Turn selinux into enforcing mode 2. Create NFS share 3. Copy globs of data to that share Actual results: AVC denial Expected results: No AVC denial
You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-2.6.4-101.fc9.noarch
This message is a reminder that Fedora 8 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 8. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '8'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 8's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 8 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
As this bug is in MODIFIED, Fedora believes that a fix has been committed that resolves the problem listed in this bug report. If this is not the case, please re-open this report, noting the version of the package that you reproduced the bug against. Thanks for the report!