Bug 604495 - SELinux preventing autofs mount of home directory over NFSv4 from Solaris Server
Summary: SELinux preventing autofs mount of home directory over NFSv4 from Solaris Server
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
(Show other bugs)
Version: 13
Hardware: All Linux
low
low
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-16 04:05 UTC by Darryl Bond
Modified: 2010-07-06 17:08 UTC (History)
0 users

Fixed In Version: selinux-policy-3.7.19-33.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-06 17:08:44 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Darryl Bond 2010-06-16 04:05:58 UTC
Description of problem:SELinux prevents a user login when using autofs and NFSv4 for home directory. NFSv3 works fine. NFS Server is Solaris10 SPARC.



Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-23.fc13.noarch

How reproducible: setenforce 0 allows home directory to be mounted


Steps to Reproduce:
1.Configure autofs to automount home directory usiong default settings (NFS4)
2.attempt login (defaults to / as user home directory as real home directory will not mount)
3.setenforce 0
4. attempt login (success)
  
Actual results:
Get / as home directory


Expected results:
Actual home directory

Additional info:
Using autofs-5.0.5-24.fc13.x86_64 to mount home directory 

*	-rw,intr,timeo=14			&:/homec/&

Home directory server is Solaris 10 SPARC box.

Changing the autofs to NFS3 successfully allows login with SELinux enabled
*	-rw,intr,timeo=14,rsize=8192,wsize=8192,vers=3	&:/homec/&

SELinux Error message
Summary:

SELinux is preventing /sbin/mount.nfs "read" access on solaris_nfs_server.

Detailed Description:

SELinux denied access requested by mount.nfs. It is not expected that this
access is required by mount.nfs and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:mount_t:s0
Target Context                system_u:object_r:nfs_t:s0
Target Objects                solaris_nfs_server [ lnk_file ]
Source                        mount.nfs
Source Path                   /sbin/mount.nfs
Port                          <Unknown>
Host                          f13-client
Source RPM Packages           nfs-utils-1.2.2-2.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-23.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     f13-client
Platform                      Linux f13-client 2.6.33.5-112.fc13.x86_64 #1 SMP Thu
                              May 27 02:28:31 UTC 2010 x86_64 x86_64
Alert Count                   68
First Seen                    Tue 15 Jun 2010 07:30:26 AM EST
Last Seen                     Tue 15 Jun 2010 08:38:15 AM EST
Local ID                      d2fa6432-f805-4a28-86f0-d3c3ec909283
Line Numbers                  

Raw Audit Messages            

node=f13-client type=AVC msg=audit(1276555095.896:28710): avc:  denied  { read } for  pid=5820 comm="mount.nfs" name="solaris_nfs_server" dev=0:19 ino=321557 scontext=unconfined_u:system_r:mount_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=lnk_file

node=f13-client type=SYSCALL msg=audit(1276555095.896:28710): arch=c000003e syscall=165 success=no exit=-13 a0=7fffe91ea8ef a1=7ff681234da0 a2=7ff67f88a8fb a3=0 items=0 ppid=5819 pid=5820 auid=60953 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="mount.nfs" exe="/sbin/mount.nfs" subj=unconfined_u:system_r:mount_t:s0 key=(null)

Comment 1 Daniel Walsh 2010-06-16 17:25:42 UTC
Miroslav add

fs_read_nfs_symlinks(mount_t)

Comment 2 Miroslav Grepl 2010-06-16 20:38:01 UTC
Fixed in selinux-policy-3.7.19-30.fc13

Comment 3 Fedora Update System 2010-06-30 19:54:26 UTC
selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13

Comment 4 Fedora Update System 2010-07-01 18:48:17 UTC
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13

Comment 5 Fedora Update System 2010-07-06 17:06:43 UTC
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.