Bug 484541 - Mounting an NFS file system causes denials, even when nfs_export_all_ro=on
Mounting an NFS file system causes denials, even when nfs_export_all_ro=on
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-07 23:44 EST by Murray McAllister
Modified: 2015-01-04 17:35 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-06 03:15:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
output from "sealert -l [id]" from comment #0 (5.01 KB, text/plain)
2009-02-08 00:15 EST, Murray McAllister
no flags Details

  None (edit)
Description Murray McAllister 2009-02-07 23:44:44 EST
Description of problem:

Mounting an NFS file system causes denials, even when the nfs_export_all_ro Boolean is turned on. The mount is successful and works as expected, except for the denials.

Version-Release number of selected component (if applicable):

selinux-policy-3.5.13-41.fc10.noarch
selinux-policy-targeted-3.5.13-41.fc10.noarch
nfs-utils-1.1.4-7.fc10.i386
util-linux-ng-2.14.1-3.2.fc10.i386
rpcbind-0.1.7-1.fc10.i386


How reproducible:

Always (for me).

Steps to Reproduce:

On the system running the NFS service (from nfs-utils):

0. run "setsebool nfs_export_all_rw off" and "setsebool nfs_export_all_ro on".
1. mkdir /export (mine was labeled with the etc_t type: drwxrwxrwx  root root system_u:object_r:etc_t:s0    /export/).
2. add "/export *(ro)" to /etc/exports
3. run "tail -f /var/log/messages" or "tail -f /var/log/audit/audit.log".

Mount /export on a remote machine (mount server:/export /mountpoint). Confirm the mount works as expected. See denials on the system running the NFS service.
  
Actual results:

Mount works, but SELinux denials occur:

SELinux is preventing the nfs daemon from serving r/o local files to remote clients. For complete SELinux messages. run sealert -l 1e7bcb3f-c1d1-4ee3-ac79-0fbf8331b9f1

This Boolean is on and the file system mounts correctly. See "Additional info" for other NFS related Booleans.

SELinux is preventing rpc.mountd (nfsd_t) "getattr" to /dev/gpmctl (gpmctl_t). For complete SELinux messages. run sealert -l 5688e6ea-de38-4d71-a45d-1c8fa345169c

This appears to be labeled correctly:

$ ls -lZ /dev/gpmctl 
srwx------  murray root system_u:object_r:gpmctl_t:s0    /dev/gpmctl
$ grep gpmctl /etc/selinux/targeted/contexts/files/*
/etc/selinux/targeted/contexts/files/file_contexts:/dev/gpmctl  -s      system_u:object_r:gpmctl_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/dev/gpmdata -p      system_u:object_r:gpmctl_t:s0

Running "restorecon -v /dev/gpmctl" as suggested does not change anything.

Expected results:

No denials.

Additional info:

The system attempting to mount /export was Fedora rawhide.

Is it safe to dontaudit the gpmctl denial? Should /dev/gpmctl be accessed in any way when mounting via NFS?

allow_ftpd_use_nfs --> off
allow_nfsd_anon_write --> off
httpd_use_nfs --> off
nfs_export_all_ro --> on
nfs_export_all_rw --> off
qemu_use_nfs --> on
samba_share_nfs --> off
use_nfs_home_dirs --> on
virt_use_nfs --> off
xen_use_nfs --> off
Comment 1 Murray McAllister 2009-02-08 00:15:44 EST
Created attachment 331224 [details]
output from "sealert -l [id]" from comment #0
Comment 2 Murray McAllister 2009-02-08 00:24:55 EST
Same denials occur for subsequent mounts.

Same results when using public_content_t type for /export on server-side.

$ sesearch -C --allow -s nfsd_t -t tmpfs_t
[snip]
ET allow nfsd_t tmpfs_t : file { ioctl read getattr lock } ; [ nfs_export_all_ro ]
[snip]
The above looks like the Boolean should allow access for the first denial.
Comment 3 Daniel Walsh 2009-02-09 09:02:40 EST
Miroslav, you need to add

auth_read_all_dirs_except_shadow(nfsd_t)
files_getattr_all_pipes(nfsd_t)
files_getattr_all_sockets(nfsd_t)
dev_getattr_all_blk_files(nfsd_t)
dev_getattr_all_chr_files(nfsd_t)

To nfs_export_all_ro and nfs_export_all_rw blocks in rpc.te


Murray the tmpfs_t is complaining about reading the 'dir' not 'file'.
Comment 4 Daniel Walsh 2009-02-09 09:04:44 EST
Actually rw only needs

dev_getattr_all_blk_files(nfsd_t)
dev_getattr_all_chr_files(nfsd_t)
Comment 5 Miroslav Grepl 2009-02-12 10:02:21 EST
Fixed in selinux-policy-3.5.13-45.fc10
Comment 6 Murray McAllister 2009-03-09 01:49:54 EDT
verified in selinux-policy-3.5.13-46.fc10.noarch

Thanks.

Note You need to log in before you can comment on or make changes to this bug.