Description of problem: Apologies if this is expected behavior. * nfs_export_all_rw off * nfs_export_all_ro on * read-write permissions (rw) configured in "/etc/exports". * other NFS related Booleans are off. See "Additional info" section. With the above configuration, clients are able to write to NFS mounted shares. Version-Release number of selected component (if applicable): selinux-policy-3.5.13-41.fc10.noarch selinux-policy-targeted-3.5.13-41.fc10.noarch nfs-utils-1.1.4-7.fc10.i386 util-linux-ng-2.14.1-3.2.fc10.i386 rpcbind-0.1.7-1.fc10.i386 How reproducible: Always (for me). Steps to Reproduce: On the system running the NFS service (from nfs-utils): 0. run "setsebool nfs_export_all_rw off" and "setsebool nfs_export_all_ro on". 1. mkdir /export (mine was labeled with the default_t type: drwxrwxrwx root root system_u:object_r:default_t:s0 /export/). 2. add "/export *(rw)" to /etc/exports 3. run "tail -f /var/log/messages" or "tail -f /var/log/audit/audit.log". Mount /export on a remote machine (mount server:/export /mountpoint). Confirm the mount works as expected, and that write access is allowed. See denials on the system running the NFS service. Actual results: Clients can write to the NFS mounted shares. Same denials as bug #484541 (<https://bugzilla.redhat.com/attachment.cgi?id=331224>). nfs_export_all_ro is on but setroubleshoot browsers suggests turning nfs_export_all_ro on. Expected results: Write access denied since nfs_export_all_rw is off. Additional info: The system mounting and writing to /export was Fedora rawhide. allow_ftpd_use_nfs --> off allow_nfsd_anon_write --> off httpd_use_nfs --> off nfs_export_all_ro --> on nfs_export_all_rw --> off qemu_use_nfs --> off samba_share_nfs --> off use_nfs_home_dirs --> off virt_use_nfs --> off xen_use_nfs --> off
I believe the problem here is the kernel is actually reading/writing the files, so you are not getting the denials you would expect. Adding eric, to see if he agrees with this assessment.
nfsd kernel threads run in kernel_t presently. If unconfined module is present, then kernel_t is unconfined and thus can read/write all files. If unconfined module is removed, the kernel_t is not unconfined, and thus the nfs_export_* booleans are relevant. Better solutions would be: a) Put nfsd kernel threads into their own type, or b) Have nfsd kernel threads switch to a type based on the NFS client (something that would come out of the labeled NFS work although you could also do something in the short term just by way of extending exports to support specifying per-client contexts and having the kernel use that information if present upon nfsd_setuser).
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.