Bug 537599 - SELinux prevented polkitd from reading files stored on a NFS filesytem.
Summary: SELinux prevented polkitd from reading files stored on a NFS filesytem.
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:8beceef0bb6...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-14 21:28 UTC by Peter Jennings
Modified: 2009-12-23 16:57 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-23 16:57:00 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Peter Jennings 2009-11-14 21:28:58 UTC 
Summary:

SELinux prevented polkitd from reading files stored on a NFS filesytem.

Detailed Description:

SELinux prevented polkitd from reading files stored on a NFS filesystem. NFS
(Network Filesystem) is a network filesystem commonly used on Unix / Linux
systems. polkitd attempted to read one or more files or directories from a
mounted filesystem of this type. As NFS filesystems do not support fine-grained
SELinux labeling, all files and directories in the filesystem will have the same
security context. If you have not configured polkitd to read files from a NFS
filesystem this access attempt could signal an intrusion attempt.

Allowing Access:

Changing the "use_nfs_home_dirs" boolean to true will allow this access:
"setsebool -P use_nfs_home_dirs=1"

Fix Command:

setsebool -P use_nfs_home_dirs=1

Additional Information:

Source Context                system_u:system_r:policykit_t:s0-s0:c0.c1023
Target Context                system_u:object_r:nfs_t:s0
Target Objects                 [ dir ]
Source                        polkitd
Source Path                   /usr/libexec/polkit-1/polkitd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           polkit-0.95-0.git20090913.3.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-41.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   use_nfs_home_dirs
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.5-127.fc12.i686.PAE #1 SMP Sat
                              Nov 7 21:25:57 EST 2009 i686 i686
Alert Count                   834
First Seen                    Sat 31 Oct 2009 12:32:32 PM PDT
Last Seen                     Sat 14 Nov 2009 01:23:20 PM PST
Local ID                      2b426b93-bb8c-4a37-9e4c-d4f49bc4df8d
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1258233800.223:21533): avc:  denied  { search } for  pid=1645 comm="polkitd" name="" dev=0:15 ino=2 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1258233800.223:21533): arch=40000003 syscall=195 success=no exit=-13 a0=94008f0 a1=bfc4d1d0 a2=cfbff4 a3=94008f0 items=0 ppid=1 pid=1645 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,use_nfs_home_dirs,polkitd,policykit_t,nfs_t,dir,search
audit2allow suggests:

#============= policykit_t ==============
allow policykit_t nfs_t:dir search;
Comment 1 Daniel Walsh 2009-11-16 15:16:11 UTC 
Are you using nfs home directories?  Did you restart the polkitd daemon while sitting in an NFS directory?
Note You need to log in before you can comment on or make changes to this bug.