Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 585014 - incorrect hint for fixing NFS denials
Summary: incorrect hint for fixing NFS denials
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: setroubleshoot-plugins
Version: 12
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-22 22:12 UTC by Milos Jakubicek
Modified: 2010-05-03 16:10 UTC (History)
3 users (show)

Fixed In Version: setroubleshoot-plugins-2.1.50-1.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-05-03 16:10:46 UTC
Type: ---


Attachments (Terms of Use)

Description Milos Jakubicek 2010-04-22 22:12:33 UTC
Description of problem:

On my server I correctly get the following AVC by default:

-------------------------------------------------------------
Summary:

SELinux prevented run.cgi from reading files stored on a NFS filesytem.

Detailed Description:

SELinux prevented run.cgi from reading files stored on a NFS filesystem. NFS
(Network Filesystem) is a network filesystem commonly used on Unix / Linux
systems. run.cgi attempted to read one or more files or directories from a
mounted filesystem of this type. As NFS filesystems do not support fine-grained
SELinux labeling, all files and directories in the filesystem will have the same
security context. If you have not configured run.cgi to read files from a NFS
filesystem this access attempt could signal an intrusion attempt.

Allowing Access:

Changing the "use_nfs_home_dirs" boolean to true will allow this access:
"setsebool -P use_nfs_home_dirs=1"

Fix Command:

setsebool -P use_nfs_home_dirs=1

Additional Information:

Source Context                unconfined_u:system_r:httpd_sys_script_t:s0
Target Context                system_u:object_r:nfs_t:s0
Target Objects                 [ dir ]
Source                        run.cgi
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           python-2.6.2-4.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-108.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   use_nfs_home_dirs
Host Name                     cup2.sketchengine.co.uk
Platform                      Linux cup2.sketchengine.co.uk
                              2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38
                              UTC 2010 x86_64 x86_64
Alert Count                   25
First Seen                    Thu Apr 22 18:37:27 2010
Last Seen                     Thu Apr 22 23:55:38 2010
Local ID                      e4e7837d-2d47-411b-b738-fe8cc156a49c
Line Numbers                  10330, 10331, 10332, 10333, 10336, 10337, 10338,
                              10345, 10346, 10347, 10348, 10355, 10356, 10357,
                              10358, 10361, 10362, 10363, 10364, 10369, 10370,
                              10371, 10372, 10464, 10465, 10466, 10467, 10472,
                              10473, 10474, 10475, 10490, 10491, 10492, 10493,
                              10660, 10661, 10662, 10663, 18939, 18940, 18941,
                              18942, 18943, 18944, 18949, 18950, 18951, 18952,
                              18953, 18954

Raw Audit Messages            

type=AVC msg=audit(1271973338.973:42706): avc:  denied  { search } for  pid=16768 comm="run.cgi" name="" dev=0:15 ino=2 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

type=SYSCALL msg=audit(1271973338.973:42706): arch=c000003e syscall=2 success=no exit=-13 a0=d04f58 a1=0 a2=1b6 a3=0 items=0 ppid=16555 pid=16768 auid=500 uid=48 gid=486 euid=48 suid=48 fsuid=48 egid=486 sgid=486 fsgid=486 tty=(none) ses=9 comm="run.cgi" exe="/usr/bin/python" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)

----------------------------------------------------

The problem is that it advises to use use_nfs_home_dirs=1, but the correct solution is to allow httpd_use_nfs=1.

Version-Release number of selected component (if applicable):

selinux-policy-3.6.32-108.fc12.noarch

Comment 1 Fedora Update System 2010-04-26 19:45:35 UTC
setroubleshoot-plugins-2.1.50-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/setroubleshoot-plugins-2.1.50-1.fc12

Comment 2 Fedora Update System 2010-04-28 01:16:00 UTC
setroubleshoot-plugins-2.1.50-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update setroubleshoot-plugins'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/setroubleshoot-plugins-2.1.50-1.fc12

Comment 3 Fedora Update System 2010-05-03 16:10:42 UTC
setroubleshoot-plugins-2.1.50-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.