Bug 484541 - Mounting an NFS file system causes denials, even when nfs_export_all_ro=on
Summary: Mounting an NFS file system causes denials, even when nfs_export_all_ro=on
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 10
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-08 04:44 UTC by Murray McAllister
Modified: 2015-01-04 22:35 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-09-06 07:15:11 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
output from "sealert -l [id]" from comment #0 (5.01 KB, text/plain)
2009-02-08 05:15 UTC, Murray McAllister
no flags Details

Description Murray McAllister 2009-02-08 04:44:44 UTC
Description of problem:

Mounting an NFS file system causes denials, even when the nfs_export_all_ro Boolean is turned on. The mount is successful and works as expected, except for the denials.

Version-Release number of selected component (if applicable):

selinux-policy-3.5.13-41.fc10.noarch
selinux-policy-targeted-3.5.13-41.fc10.noarch
nfs-utils-1.1.4-7.fc10.i386
util-linux-ng-2.14.1-3.2.fc10.i386
rpcbind-0.1.7-1.fc10.i386


How reproducible:

Always (for me).

Steps to Reproduce:

On the system running the NFS service (from nfs-utils):

0. run "setsebool nfs_export_all_rw off" and "setsebool nfs_export_all_ro on".
1. mkdir /export (mine was labeled with the etc_t type: drwxrwxrwx  root root system_u:object_r:etc_t:s0    /export/).
2. add "/export *(ro)" to /etc/exports
3. run "tail -f /var/log/messages" or "tail -f /var/log/audit/audit.log".

Mount /export on a remote machine (mount server:/export /mountpoint). Confirm the mount works as expected. See denials on the system running the NFS service.
  
Actual results:

Mount works, but SELinux denials occur:

SELinux is preventing the nfs daemon from serving r/o local files to remote clients. For complete SELinux messages. run sealert -l 1e7bcb3f-c1d1-4ee3-ac79-0fbf8331b9f1

This Boolean is on and the file system mounts correctly. See "Additional info" for other NFS related Booleans.

SELinux is preventing rpc.mountd (nfsd_t) "getattr" to /dev/gpmctl (gpmctl_t). For complete SELinux messages. run sealert -l 5688e6ea-de38-4d71-a45d-1c8fa345169c

This appears to be labeled correctly:

$ ls -lZ /dev/gpmctl 
srwx------  murray root system_u:object_r:gpmctl_t:s0    /dev/gpmctl
$ grep gpmctl /etc/selinux/targeted/contexts/files/*
/etc/selinux/targeted/contexts/files/file_contexts:/dev/gpmctl  -s      system_u:object_r:gpmctl_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/dev/gpmdata -p      system_u:object_r:gpmctl_t:s0

Running "restorecon -v /dev/gpmctl" as suggested does not change anything.

Expected results:

No denials.

Additional info:

The system attempting to mount /export was Fedora rawhide.

Is it safe to dontaudit the gpmctl denial? Should /dev/gpmctl be accessed in any way when mounting via NFS?

allow_ftpd_use_nfs --> off
allow_nfsd_anon_write --> off
httpd_use_nfs --> off
nfs_export_all_ro --> on
nfs_export_all_rw --> off
qemu_use_nfs --> on
samba_share_nfs --> off
use_nfs_home_dirs --> on
virt_use_nfs --> off
xen_use_nfs --> off

Comment 1 Murray McAllister 2009-02-08 05:15:44 UTC
Created attachment 331224 [details]
output from "sealert -l [id]" from comment #0

Comment 2 Murray McAllister 2009-02-08 05:24:55 UTC
Same denials occur for subsequent mounts.

Same results when using public_content_t type for /export on server-side.

$ sesearch -C --allow -s nfsd_t -t tmpfs_t
[snip]
ET allow nfsd_t tmpfs_t : file { ioctl read getattr lock } ; [ nfs_export_all_ro ]
[snip]
The above looks like the Boolean should allow access for the first denial.

Comment 3 Daniel Walsh 2009-02-09 14:02:40 UTC
Miroslav, you need to add

auth_read_all_dirs_except_shadow(nfsd_t)
files_getattr_all_pipes(nfsd_t)
files_getattr_all_sockets(nfsd_t)
dev_getattr_all_blk_files(nfsd_t)
dev_getattr_all_chr_files(nfsd_t)

To nfs_export_all_ro and nfs_export_all_rw blocks in rpc.te


Murray the tmpfs_t is complaining about reading the 'dir' not 'file'.

Comment 4 Daniel Walsh 2009-02-09 14:04:44 UTC
Actually rw only needs

dev_getattr_all_blk_files(nfsd_t)
dev_getattr_all_chr_files(nfsd_t)

Comment 5 Miroslav Grepl 2009-02-12 15:02:21 UTC
Fixed in selinux-policy-3.5.13-45.fc10

Comment 6 Murray McAllister 2009-03-09 05:49:54 UTC
verified in selinux-policy-3.5.13-46.fc10.noarch

Thanks.


Note You need to log in before you can comment on or make changes to this bug.