Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 604495 - SELinux preventing autofs mount of home directory over NFSv4 from Solaris Server
SELinux preventing autofs mount of home directory over NFSv4 from Solaris Server
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
13
All Linux
low Severity low
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-16 00:05 EDT by Darryl Bond
Modified: 2010-07-06 13:08 EDT (History)
0 users

See Also:
Fixed In Version: selinux-policy-3.7.19-33.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-06 13:08:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Darryl Bond 2010-06-16 00:05:58 EDT
Description of problem:SELinux prevents a user login when using autofs and NFSv4 for home directory. NFSv3 works fine. NFS Server is Solaris10 SPARC.



Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-23.fc13.noarch

How reproducible: setenforce 0 allows home directory to be mounted


Steps to Reproduce:
1.Configure autofs to automount home directory usiong default settings (NFS4)
2.attempt login (defaults to / as user home directory as real home directory will not mount)
3.setenforce 0
4. attempt login (success)
  
Actual results:
Get / as home directory


Expected results:
Actual home directory

Additional info:
Using autofs-5.0.5-24.fc13.x86_64 to mount home directory 

*	-rw,intr,timeo=14			&:/homec/&

Home directory server is Solaris 10 SPARC box.

Changing the autofs to NFS3 successfully allows login with SELinux enabled
*	-rw,intr,timeo=14,rsize=8192,wsize=8192,vers=3	&:/homec/&

SELinux Error message
Summary:

SELinux is preventing /sbin/mount.nfs "read" access on solaris_nfs_server.

Detailed Description:

SELinux denied access requested by mount.nfs. It is not expected that this
access is required by mount.nfs and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:mount_t:s0
Target Context                system_u:object_r:nfs_t:s0
Target Objects                solaris_nfs_server [ lnk_file ]
Source                        mount.nfs
Source Path                   /sbin/mount.nfs
Port                          <Unknown>
Host                          f13-client
Source RPM Packages           nfs-utils-1.2.2-2.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-23.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     f13-client
Platform                      Linux f13-client 2.6.33.5-112.fc13.x86_64 #1 SMP Thu
                              May 27 02:28:31 UTC 2010 x86_64 x86_64
Alert Count                   68
First Seen                    Tue 15 Jun 2010 07:30:26 AM EST
Last Seen                     Tue 15 Jun 2010 08:38:15 AM EST
Local ID                      d2fa6432-f805-4a28-86f0-d3c3ec909283
Line Numbers                  

Raw Audit Messages            

node=f13-client type=AVC msg=audit(1276555095.896:28710): avc:  denied  { read } for  pid=5820 comm="mount.nfs" name="solaris_nfs_server" dev=0:19 ino=321557 scontext=unconfined_u:system_r:mount_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=lnk_file

node=f13-client type=SYSCALL msg=audit(1276555095.896:28710): arch=c000003e syscall=165 success=no exit=-13 a0=7fffe91ea8ef a1=7ff681234da0 a2=7ff67f88a8fb a3=0 items=0 ppid=5819 pid=5820 auid=60953 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="mount.nfs" exe="/sbin/mount.nfs" subj=unconfined_u:system_r:mount_t:s0 key=(null)
Comment 1 Daniel Walsh 2010-06-16 13:25:42 EDT
Miroslav add

fs_read_nfs_symlinks(mount_t)
Comment 2 Miroslav Grepl 2010-06-16 16:38:01 EDT
Fixed in selinux-policy-3.7.19-30.fc13
Comment 3 Fedora Update System 2010-06-30 15:54:26 EDT
selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
Comment 4 Fedora Update System 2010-07-01 14:48:17 EDT
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
Comment 5 Fedora Update System 2010-07-06 13:06:43 EDT
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.