Bug 442916 - SELinux is preventing rpc.mountd (nfsd_t) "getattr" to /dev/oprofile (oprofilefs_t).
Summary: SELinux is preventing rpc.mountd (nfsd_t) "getattr" to /dev/oprofile (oprofil...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: nfs-utils
Version: 8
Hardware: i386
OS: Linux
low
low
Target Milestone: ---
Assignee: Steve Dickson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-04-17 15:39 UTC by Petr Machata
Modified: 2015-05-05 01:33 UTC (History)
3 users (show)

Fixed In Version: F8
Clone Of:
Environment:
Last Closed: 2008-11-26 17:37:38 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Petr Machata 2008-04-17 15:39:14 UTC
Description of problem:

I'm copying files from one NFS system to another.  The target one is actually
located on my machine, but I guess that shouldn't matter.  Every once in a while
(like for example every ten minutes or so), I get the following AVC denial:

  SELinux is preventing rpc.mountd (nfsd_t) "getattr" to /dev/oprofile
(oprofilefs_t). 

Raw audit messages:
host=hridell.englab.brq.redhat.com type=AVC msg=audit(1208445955.446:8165): avc:
denied { getattr } for pid=10637 comm="rpc.mountd" path="/dev/oprofile"
dev=oprofilefs ino=21370657 scontext=unconfined_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:oprofilefs_t:s0 tclass=dir
host=hridell.englab.brq.redhat.com type=SYSCALL msg=audit(1208445955.446:8165):
arch=40000003 syscall=195 success=no exit=-13 a0=bfbfbfd4 a1=bfbfbeb0 a2=294ff4
a3=3 items=0 ppid=1 pid=10637 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="rpc.mountd" exe="/usr/sbin/rpc.mountd"
subj=unconfined_u:system_r:nfsd_t:s0 key=(null) 

The context of /dev/oprofile is system_u:object_r:oprofilefs_t, which looks OK
to me.  In any case I don't know if rpc.mountd is even supposed to touch
/dev/oprofile.  Isn't this a bug?

I've found another bug similar to this one, #247157, which was resolved by
fixing the policy.  I'm not sure this is relevant in this case, oprofilefs_t
seems "right" to me.

Version-Release number of selected component (if applicable):
nfs-utils-1.1.0-6.fc8

sestatus gives me this:
# /usr/sbin/sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

Steps to Reproduce:
1. Turn selinux into enforcing mode
2. Create NFS share
3. Copy globs of data to that share
  
Actual results:
AVC denial

Expected results:
No AVC denial

Comment 1 Daniel Walsh 2008-04-17 18:04:29 UTC
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-2.6.4-101.fc9.noarch

Comment 2 Bug Zapper 2008-11-26 10:30:15 UTC
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '8'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 8's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 8 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 3 Jon Stanley 2008-11-26 17:37:38 UTC
As this bug is in MODIFIED, Fedora believes that a fix has been committed that resolves the problem listed in this bug report.

If this is not the case, please re-open this report, noting the version of the package that you reproduced the bug against.

Thanks for the report!


Note You need to log in before you can comment on or make changes to this bug.