Fedora Account System
Red Hat Associate
Red Hat Customer
Description of problem: Mounting an NFS file system causes denials, even when the nfs_export_all_ro Boolean is turned on. The mount is successful and works as expected, except for the denials. Version-Release number of selected component (if applicable): selinux-policy-3.5.13-41.fc10.noarch selinux-policy-targeted-3.5.13-41.fc10.noarch nfs-utils-1.1.4-7.fc10.i386 util-linux-ng-2.14.1-3.2.fc10.i386 rpcbind-0.1.7-1.fc10.i386 How reproducible: Always (for me). Steps to Reproduce: On the system running the NFS service (from nfs-utils): 0. run "setsebool nfs_export_all_rw off" and "setsebool nfs_export_all_ro on". 1. mkdir /export (mine was labeled with the etc_t type: drwxrwxrwx root root system_u:object_r:etc_t:s0 /export/). 2. add "/export *(ro)" to /etc/exports 3. run "tail -f /var/log/messages" or "tail -f /var/log/audit/audit.log". Mount /export on a remote machine (mount server:/export /mountpoint). Confirm the mount works as expected. See denials on the system running the NFS service. Actual results: Mount works, but SELinux denials occur: SELinux is preventing the nfs daemon from serving r/o local files to remote clients. For complete SELinux messages. run sealert -l 1e7bcb3f-c1d1-4ee3-ac79-0fbf8331b9f1 This Boolean is on and the file system mounts correctly. See "Additional info" for other NFS related Booleans. SELinux is preventing rpc.mountd (nfsd_t) "getattr" to /dev/gpmctl (gpmctl_t). For complete SELinux messages. run sealert -l 5688e6ea-de38-4d71-a45d-1c8fa345169c This appears to be labeled correctly: $ ls -lZ /dev/gpmctl srwx------ murray root system_u:object_r:gpmctl_t:s0 /dev/gpmctl $ grep gpmctl /etc/selinux/targeted/contexts/files/* /etc/selinux/targeted/contexts/files/file_contexts:/dev/gpmctl -s system_u:object_r:gpmctl_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/dev/gpmdata -p system_u:object_r:gpmctl_t:s0 Running "restorecon -v /dev/gpmctl" as suggested does not change anything. Expected results: No denials. Additional info: The system attempting to mount /export was Fedora rawhide. Is it safe to dontaudit the gpmctl denial? Should /dev/gpmctl be accessed in any way when mounting via NFS? allow_ftpd_use_nfs --> off allow_nfsd_anon_write --> off httpd_use_nfs --> off nfs_export_all_ro --> on nfs_export_all_rw --> off qemu_use_nfs --> on samba_share_nfs --> off use_nfs_home_dirs --> on virt_use_nfs --> off xen_use_nfs --> off
Created attachment 331224 [details] output from "sealert -l [id]" from comment #0
Same denials occur for subsequent mounts. Same results when using public_content_t type for /export on server-side. $ sesearch -C --allow -s nfsd_t -t tmpfs_t [snip] ET allow nfsd_t tmpfs_t : file { ioctl read getattr lock } ; [ nfs_export_all_ro ] [snip] The above looks like the Boolean should allow access for the first denial.
Miroslav, you need to add auth_read_all_dirs_except_shadow(nfsd_t) files_getattr_all_pipes(nfsd_t) files_getattr_all_sockets(nfsd_t) dev_getattr_all_blk_files(nfsd_t) dev_getattr_all_chr_files(nfsd_t) To nfs_export_all_ro and nfs_export_all_rw blocks in rpc.te Murray the tmpfs_t is complaining about reading the 'dir' not 'file'.
Actually rw only needs dev_getattr_all_blk_files(nfsd_t) dev_getattr_all_chr_files(nfsd_t)
Fixed in selinux-policy-3.5.13-45.fc10
verified in selinux-policy-3.5.13-46.fc10.noarch Thanks.