Bug 585014 – incorrect hint for fixing NFS denials

Bug 585014 - incorrect hint for fixing NFS denials

Summary:	incorrect hint for fixing NFS denials

Status:	CLOSED ERRATA

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	setroubleshoot-plugins (Show other bugs)
Sub Component:
Version:	12
Hardware:	All Linux

Priority	low Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2010-04-22 18:12 EDT by Milos Jakubicek
Modified:	2010-05-03 12:10 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:	setroubleshoot-plugins-2.1.50-1.fc12
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2010-05-03 12:10:46 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Milos Jakubicek 2010-04-22 18:12:33 EDT

Description of problem:

On my server I correctly get the following AVC by default:

-------------------------------------------------------------
Summary:

SELinux prevented run.cgi from reading files stored on a NFS filesytem.

Detailed Description:

SELinux prevented run.cgi from reading files stored on a NFS filesystem. NFS
(Network Filesystem) is a network filesystem commonly used on Unix / Linux
systems. run.cgi attempted to read one or more files or directories from a
mounted filesystem of this type. As NFS filesystems do not support fine-grained
SELinux labeling, all files and directories in the filesystem will have the same
security context. If you have not configured run.cgi to read files from a NFS
filesystem this access attempt could signal an intrusion attempt.

Allowing Access:

Changing the "use_nfs_home_dirs" boolean to true will allow this access:
"setsebool -P use_nfs_home_dirs=1"

Fix Command:

setsebool -P use_nfs_home_dirs=1

Additional Information:

Source Context                unconfined_u:system_r:httpd_sys_script_t:s0
Target Context                system_u:object_r:nfs_t:s0
Target Objects                 [ dir ]
Source                        run.cgi
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           python-2.6.2-4.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-108.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   use_nfs_home_dirs
Host Name                     cup2.sketchengine.co.uk
Platform                      Linux cup2.sketchengine.co.uk
                              2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38
                              UTC 2010 x86_64 x86_64
Alert Count                   25
First Seen                    Thu Apr 22 18:37:27 2010
Last Seen                     Thu Apr 22 23:55:38 2010
Local ID                      e4e7837d-2d47-411b-b738-fe8cc156a49c
Line Numbers                  10330, 10331, 10332, 10333, 10336, 10337, 10338,
                              10345, 10346, 10347, 10348, 10355, 10356, 10357,
                              10358, 10361, 10362, 10363, 10364, 10369, 10370,
                              10371, 10372, 10464, 10465, 10466, 10467, 10472,
                              10473, 10474, 10475, 10490, 10491, 10492, 10493,
                              10660, 10661, 10662, 10663, 18939, 18940, 18941,
                              18942, 18943, 18944, 18949, 18950, 18951, 18952,
                              18953, 18954

Raw Audit Messages            

type=AVC msg=audit(1271973338.973:42706): avc:  denied  { search } for  pid=16768 comm="run.cgi" name="" dev=0:15 ino=2 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

type=SYSCALL msg=audit(1271973338.973:42706): arch=c000003e syscall=2 success=no exit=-13 a0=d04f58 a1=0 a2=1b6 a3=0 items=0 ppid=16555 pid=16768 auid=500 uid=48 gid=486 euid=48 suid=48 fsuid=48 egid=486 sgid=486 fsgid=486 tty=(none) ses=9 comm="run.cgi" exe="/usr/bin/python" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)

----------------------------------------------------

The problem is that it advises to use use_nfs_home_dirs=1, but the correct solution is to allow httpd_use_nfs=1.

Version-Release number of selected component (if applicable):

selinux-policy-3.6.32-108.fc12.noarch

Comment 1 Fedora Update System 2010-04-26 15:45:35 EDT

setroubleshoot-plugins-2.1.50-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/setroubleshoot-plugins-2.1.50-1.fc12

Comment 2 Fedora Update System 2010-04-27 21:16:00 EDT

setroubleshoot-plugins-2.1.50-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update setroubleshoot-plugins'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/setroubleshoot-plugins-2.1.50-1.fc12

Comment 3 Fedora Update System 2010-05-03 12:10:42 EDT

setroubleshoot-plugins-2.1.50-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.