Hide Forgot
Description of problem: Running the test /CoreOS/quota/Regression/bz515697-too-many-mountpoints we are sometimes getting avc denials for rpc.mountd - not sure if this is problem of selinux policy or nfs-utils itself. Version-Release number of selected component (if applicable): nfs-utils-1.2.3-8.el6.i686 selinux-policy-3.7.19-110.el6.noarch How reproducible: sometimes Steps to Reproduce: 1. schedule the test /CoreOS/quota/Regression/bz515697-too-many-mountpoints in Beaker Actual results: time->Tue Sep 13 08:37:47 2011 type=SYSCALL msg=audit(1315917467.083:297024): arch=c000003e syscall=16 success=no exit=-25 a0=16 a1=5331 a2=0 a3=7fff1000ce40 items=0 ppid=1 pid=5517 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null) type=AVC msg=audit(1315917467.083:297024): avc: denied { sys_rawio } for pid=5517 comm="rpc.mountd" capability=17 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=unconfined_u:system_r:nfsd_t:s0 tclass=capability Fail: AVC messages found. Expected results: no denials Additional info: see http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2011/09/1310/131079/271491/2972907/15668739//test_log-Setup-avc.log http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2011/09/1310/131079/271491/2972907/15668739//test_log-Setup-avc.log
um, the second link to logs should have been: http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2011/09/1307/130760/270731/2966102/15611310//test_log-Setup-avc.log
This appears to be an selinux policy problem... Reassigning
Steve are you saying that nfsd needs sys_rawio? /* Allow ioperm/iopl access */ /* Allow sending USB messages to any device via /proc/bus/usb */ #define CAP_SYS_RAWIO 17
I'm having a hard time tracking down what ioctl 0x5331 is, which apparently the rpc code called to trigger this.
Since RHEL 6.2 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
(In reply to comment #4) > Steve are you saying that nfsd needs sys_rawio? > > /* Allow ioperm/iopl access */ > /* Allow sending USB messages to any device via /proc/bus/usb */ > > #define CAP_SYS_RAWIO 17 Its not clear what is going going... mountd does access things under /proc/net/rpc and /proc/fs/ and /var/lib/nfs/ for upcalls from the kernel, but other than that I can not see why sys_rawio would be needed...
I guess we can add a dontaudit rule.
fs_getattr_all_fs(rpcd_t) is needed. Milos, were you testing it with disabled unconfined module?
No, unconfined module was enabled at that time.
I am seeing similar getattr and read AVCs for rpc.mountd. I also see a mountd one with tclass=dir.
Scott attach your AVC's so we can make sure you are seeing the same problem.
Here you go: ---- time->Tue Feb 28 23:35:54 2012 type=SYSCALL msg=audit(1330490154.811:216018): arch=c000003e syscall=262 success=no exit=-13 a0=16 a1=7fd13d8a4243 a2=7fffd750ba50 a3=0 items=0 ppid=1 pid=24782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null) type=AVC msg=audit(1330490154.811:216018): avc: denied { getattr } for pid=24782 comm="rpc.mountd" path="/sbin/MAKEDEV" dev=dm-0 ino=133719 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file ---- time->Tue Feb 28 23:35:54 2012 type=SYSCALL msg=audit(1330490154.812:216019): arch=c000003e syscall=2 success=no exit=-13 a0=7fd13d8ac000 a1=90800 a2=7fffd750bb30 a3=13 items=0 ppid=1 pid=24782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null) type=AVC msg=audit(1330490154.812:216019): avc: denied { read } for pid=24782 comm="rpc.mountd" name="/" dev=tmpfs ino=5315 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir ---- time->Tue Feb 28 23:35:54 2012 type=SYSCALL msg=audit(1330490154.874:216020): arch=c000003e syscall=262 success=no exit=-13 a0=16 a1=7fd13d8a4ae3 a2=7fffd750a380 a3=0 items=0 ppid=1 pid=24782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null) type=AVC msg=audit(1330490154.874:216020): avc: denied { getattr } for pid=24782 comm="rpc.mountd" path="/sbin/MAKEDEV" dev=dm-0 ino=133719 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file ---- time->Tue Feb 28 23:35:54 2012 type=SYSCALL msg=audit(1330490154.874:216021): arch=c000003e syscall=2 success=no exit=-13 a0=7fd13d8a4030 a1=90800 a2=7fffd750a460 a3=13 items=0 ppid=1 pid=24782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null) type=AVC msg=audit(1330490154.874:216021): avc: denied { read } for pid=24782 comm="rpc.mountd" name="/" dev=tmpfs ino=5315 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir Let me know if you need anything else.
Well those are allowed in Fedora.
This was from a 6.3 test build. Should they be allowed there or is there some other configuration I could use to avoid this? Or is there a fix already that should make it into the 6.3 release? Thanks
*** Bug 798764 has been marked as a duplicate of this bug. ***
This relates with removing nfs_exports_all_* booleans. These booleans have been removed because of #760405 bug. nfs_export_all_ro ... ... auth_read_all_dirs_except_shadow(nfsd_t) auth_read_all_files_except_shadow(nfsd_t) Looks like we will need to add files_list_all_mountpoints(nfsd_t)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html