Summary: SELinux is preventing /bin/mount "write" access on /proc/fs/nfsd. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by mount. It is not expected that this access is required by mount and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:mount_t:s0 Target Context system_u:object_r:nfsd_fs_t:s0 Target Objects /proc/fs/nfsd [ dir ] Source mount Source Path /bin/mount Port <Unknown> Host (removed) Source RPM Packages util-linux-ng-2.18-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.8.8-8.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.35-0.49.rc5.git2.fc14.x86_64 #1 SMP Mon Jul 19 18:05:40 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Wed 28 Jul 2010 01:39:46 PM EDT Last Seen Wed 28 Jul 2010 01:39:46 PM EDT Local ID ffbc90a3-f995-4dbf-a1d9-cb33b66cab22 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1280338786.475:6): avc: denied { write } for pid=2577 comm="mount" name="/" dev=nfsd ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1280338786.475:6): arch=c000003e syscall=21 success=yes exit=0 a0=7f3c01b83170 a1=2 a2=0 a3=7ffff6e98400 items=0 ppid=2575 pid=2577 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) Hash String generated from catchall,mount,mount_t,nfsd_fs_t,dir,write audit2allow suggests: #============= mount_t ============== #!!!! The source type 'mount_t' can write to a 'dir' of the following types: # var_run_t, user_home_t, mountpoint, etc_runtime_t, mount_var_run_t, mount_tmp_t, tmp_t, var_t, user_home_dir_t, etc_t, nfs_t, tmpfs_t allow mount_t nfsd_fs_t:dir write;
Fixed in selinux-policy-3.8.8-9.fc14.src.rpm
I just encoutered this bug with selinux-policy-targeted-3.9.5-10.fc14/selinux-policy-3.9.5-10.fc14.
Please attach the avc message. ausearch -m avc -ts recent
last 9 messages from "ausearch -m avc": time->Thu Oct 14 21:23:32 2010 type=SYSCALL msg=audit(1287084212.521:5): arch=40000003 syscall=33 success=yes exit=0 a0=265ba40 a1=2 a2=b96458 a3=265ba40 items=0 ppid=1418 pid=1433 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) type=AVC msg=audit(1287084212.521:5): avc: denied { write } for pid=1433 comm="mount" name="named" dev=sdb2 ino=1575706 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir ---- time->Thu Oct 14 21:23:32 2010 type=SYSCALL msg=audit(1287084212.533:6): arch=40000003 syscall=33 success=yes exit=0 a0=1f8ca50 a1=2 a2=d93458 a3=1f8ca50 items=0 ppid=1418 pid=1443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) type=AVC msg=audit(1287084212.533:6): avc: denied { write } for pid=1443 comm="mount" name="bind" dev=sdb2 ino=920909 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir ---- time->Thu Oct 14 21:23:32 2010 type=SYSCALL msg=audit(1287084212.636:7): arch=40000003 syscall=102 success=no exit=-97 a0=1 a1=b77d86b0 a2=b26258 a3=0 items=0 ppid=1452 pid=1454 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(1287084212.636:7): avc: denied { module_request } for pid=1454 comm="named" kmod="net-pf-10" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system ---- time->Thu Oct 14 21:23:32 2010 type=SYSCALL msg=audit(1287084212.911:8): arch=40000003 syscall=102 success=no exit=-97 a0=1 a1=bf978b90 a2=b46420 a3=0 items=0 ppid=1501 pid=1502 auid=4294967295 uid=29 gid=29 euid=29 suid=29 fsuid=29 egid=29 sgid=29 fsgid=29 tty=(none) ses=4294967295 comm="rpc.statd" exe="/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null) type=AVC msg=audit(1287084212.911:8): avc: denied { module_request } for pid=1502 comm="rpc.statd" kmod="net-pf-10" scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system ---- time->Thu Oct 14 21:23:36 2010 type=SYSCALL msg=audit(1287084216.558:14): arch=40000003 syscall=4 success=yes exit=2 a0=3 a1=2f6ba0 a2=2 a3=c3e150 items=0 ppid=1746 pid=1747 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.nfsd" exe="/usr/sbin/rpc.nfsd" subj=system_u:system_r:nfsd_t:s0 key=(null) type=AVC msg=audit(1287084216.558:14): avc: denied { module_request } for pid=1747 comm="rpc.nfsd" kmod="net-pf-10" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system ---- time->Thu Oct 14 21:23:36 2010 type=SYSCALL msg=audit(1287084216.731:15): arch=40000003 syscall=102 success=no exit=-97 a0=1 a1=bfdc8fb4 a2=80aff4 a3=a items=0 ppid=1813 pid=1820 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1287084216.731:15): avc: denied { module_request } for pid=1820 comm="sshd" kmod="net-pf-10" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system ---- time->Thu Oct 14 21:23:37 2010 type=SYSCALL msg=audit(1287084217.115:16): arch=40000003 syscall=102 success=no exit=-97 a0=1 a1=bfb45a20 a2=629c0c a3=69d8a0 items=0 ppid=1853 pid=1854 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null) type=AVC msg=audit(1287084217.115:16): avc: denied { module_request } for pid=1854 comm="sendmail" kmod="net-pf-10" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system ---- time->Thu Oct 14 21:23:37 2010 type=SYSCALL msg=audit(1287084217.258:17): arch=40000003 syscall=102 success=no exit=-97 a0=1 a1=bfffb750 a2=309c0c a3=37d8a0 items=0 ppid=1864 pid=1865 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null) type=AVC msg=audit(1287084217.258:17): avc: denied { module_request } for pid=1865 comm="sendmail" kmod="net-pf-10" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system ---- time->Thu Oct 14 21:23:36 2010 type=SYSCALL msg=audit(1287084216.518:13): arch=40000003 syscall=33 success=yes exit=0 a0=245ea28 a1=2 a2=7f3458 a3=245ea28 items=0 ppid=1737 pid=1739 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) type=AVC msg=audit(1287084216.518:13): avc: denied { write } for pid=1739 comm="mount" name="/" dev=nfsd ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir Summary: SELinux is preventing /bin/mount "write" access on /proc/fs/nfsd. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by mount. It is not expected that this access is required by mount and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:mount_t:s0 Target Context system_u:object_r:nfsd_fs_t:s0 Target Objects /proc/fs/nfsd [ dir ] Source mount Source Path /bin/mount Port <Unknown> Host ws22.hanzlici.cz Source RPM Packages util-linux-ng-2.18-4.3.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-1.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name ws22.hanzlici.cz Platform Linux ws22.hanzlici.cz 2.6.35.6-39.fc14.i686.PAE #1 SMP Fri Oct 8 16:14:05 UTC 2010 i686 i686 Alert Count 5 First Seen Tue 14 Sep 2010 02:30:29 PM CEST Last Seen Thu 14 Oct 2010 09:23:36 PM CEST Local ID ad3b0399-7819-409a-9cd9-134ce9b03d64 Line Numbers Raw Audit Messages node=ws22.hanzlici.cz type=AVC msg=audit(1287084216.518:13): avc: denied { write } for pid=1739 comm="mount" name="/" dev=nfsd ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir node=ws22.hanzlici.cz type=SYSCALL msg=audit(1287084216.518:13): arch=40000003 syscall=33 success=yes exit=0 a0=245ea28 a1=2 a2=7f3458 a3=245ea28 items=0 ppid=1737 pid=1739 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)
Eric, do you think this is mount doing an access check on the directory before mounting it?
The AVC's about module_request is caused by you disabling ipv6, You can set the domain_kernel_load_modules boolean to on to remove these. Are you mounting a file system over bind and named directories?
Yes, it's plain for me that module_request denials are from disabled ipv6 (net-pf-10). But I didn't know how suppress them, thank for Your reccomendation. About mount "write" access - I'm not sure when I understand well. I've bind running chrooted : # mount|grep named /etc/named on /var/named/chroot/etc/named type none (rw,bind) /var/named on /var/named/chroot/var/named type none (rw,bind) /etc/named.conf on /var/named/chroot/etc/named.conf type none (rw,bind) /etc/named.rfc1912.zones on /var/named/chroot/etc/named.rfc1912.zones type none (rw,bind) /etc/rndc.key on /var/named/chroot/etc/rndc.key type none (rw,bind) /usr/lib/bind on /var/named/chroot/usr/lib/bind type none (rw,bind) /etc/named.iscdlv.key on /var/named/chroot/etc/named.iscdlv.key type none (rw,bind) /etc/named.root.key on /var/named/chroot/etc/named.root.key type none (rw,bind) and /var (/var/named/...) is on root filesystem, and this root filesystem is exported by nfs - this is probably what you mean. This computer itself is mounting some other NFS filesystems (all to /mnt/xy/), but this probably doesn't matter.
Fixed in selinux-policy-3.9.7-2.fc14
selinux-policy-3.9.7-3.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-3.fc14
selinux-policy-3.9.7-3.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-3.fc14
selinux-policy-3.9.7-3.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.