801085 – Unable to unmount an exported path which is a symlink using NFSv4

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 801085 - Unable to unmount an exported path which is a symlink using NFSv4

Summary: Unable to unmount an exported path which is a symlink using NFSv4

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	nfs-utils
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Steve Dickson
QA Contact:	yanfu,wang
Docs Contact:
URL:
Whiteboard:	Regression
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-03-07 16:19 UTC by Dave Wysochanski
Modified:	2018-11-28 21:14 UTC (History)
CC List:	5 users (show)
Fixed In Version:	nfs-utils-1.2.3-22.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-06-20 15:08:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
/var/log/audit/audit.log for checking failed mount symbolic link exports (56.72 KB, application/octet-stream) 2012-05-07 06:34 UTC, yanfu,wang	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	72203	0	None	None	None	Never
Red Hat Product Errata	RHBA-2012:0964	0	normal	SHIPPED_LIVE	nfs-utils bug fix update	2012-06-19 21:12:07 UTC

Description Dave Wysochanski 2012-03-07 16:19:22 UTC

Description of problem:
This is a regression - unable to umount a exported path which is a symlink.

Full description is in published article and below in reproduction steps:
https://access.redhat.com/knowledge/solutions/72203

Version-Release number of selected component (if applicable):
nfs-utils-1.2.3-15.el6.x86_64

Downgrading to nfs-utils-1.2.3-7.el6.x86_64 resolves the issue.

How reproducible:
Every time.

Steps to Reproduce:
NFS Server

# mkdir /export
# mkdir /export/foodir
# ln -s /export/foodir /export/foosymlink
# echo '/export *(ro)' > /etc/exports
# cat /etc/exports 
/export         *(ro)
    NFS CLIENT

    # mount -t nfs4 -v rhel6-nfs-server:/export/foosymlink/ /mnt/nfs         
    mount.nfs4: timeout set for Thu Feb 23 16:28:51 2012
    mount.nfs4: trying text-based options 'addr=192.168.122.121,clientaddr=192.168.122.120'
    rhel6-nfs-server:/export/foosymlink on /mnt/nfs type nfs4 (rw)

    # fgrep /export /etc/mtab /proc/mounts    
    /etc/mtab:rhel6-nfs-server:/export/foosymlink /mnt/nfs nfs4         rw,addr=192.168.122.121,clientaddr=192.168.122.120 0 0
    /proc/mounts:rhel6-nfs-server:/export/foodir /mnt/nfs nfs4 rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.122.120,minorversion=0,local_lock=none,addr=192.168.122.121 0 0

    # umount -v /mnt/nfs                   
    /mnt/nfs was not found in /proc/mounts
    /mnt/nfs was not found in /proc/mounts
    # 
    # fgrep /export /etc/mtab /proc/mounts    
    /etc/mtab:rhel6-nfs-server:/export/foosymlink /mnt/nfs nfs4         rw,addr=192.168.122.121,clientaddr=192.168.122.120 0 0
    /proc/mounts:rhel6-nfs-server:/export/foodir /mnt/nfs nfs4 rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.122.120,minorversion=0,local_lock=none,addr=192.168.122.121 0 0

    # umount.nfs /mnt/nfs/ -v     <===== This is the only way that works 
    Could not find /mnt/nfs/ in mtab
    /mnt/nfs/ umounted
    # fgrep /export /etc/mtab /proc/mounts    
    /etc/mtab:rhel6-nfs-server:/export/foosymlink /mnt/nfs nfs4 rw,addr=192.168.122.121,clientaddr=192.168.122.120 0 0 <====mount         is gone, but still in /etc/mtab
    # df -h
    Filesystem            Size  Used Avail Use% Mounted on
    /dev/mapper/VolGroup-lv_root
                          6.5G  5.5G  642M  90% /
    tmpfs                 246M     0  246M   0% /dev/shm
    /dev/vda1             485M  110M  351M  24% /boot
    rhel6-nfs-server:/export/foosymlink
                          6.5G  5.5G  642M  90% /mnt/nfs <====  after unmounting, still its there.
  
Actual results:
umount fails to unmount the volume

Expected results:
umount succeeding

Additional info:
I've narrowed the problem to nfs-utils somewhere between -7 and -12.  Confirmed downgrade to -7 fixes the problem.  Kernel doesn't have anything to do with it - strictly a nfs-utils bug.

This should be fairly straightforward to track down.

* Mon Sep 19 2011 Steve Dickson <steved> 1.2.3-12
- Removed the stripping of debugging information from rpcdebug (bz 729001)

* Fri Sep 16 2011 Steve Dickson <steved> 1.2.3-11
- mount.nfs: Fixed problem in mount error verbosity patch (bz 731693)

* Thu Sep 15 2011 Steve Dickson <steved> 1.2.3-10
- mount.nfs: add error verbosity to invalid versions (bz 731693)

* Tue Sep 13 2011 Steve Dickson <steved> 1.2.3-9
- umount.nfs: Got IPV6 unmounts working again (bz 732673)
- mountd: return multiple hosts exporting the same directory (bz 726112)
- mount: Better error message for invalid version (bz 723780)

* Thu Aug 11 2011 Steve Dickson <steved> 1.2.3-8
- initscripts: just try to mount rpc_pipefs always (bz 692702)
- Rely on crypto module autoloading in init scripts
- svcgssd: Document "-n" for svcgssd (bz 697359)
- mount.nfs: anticipate RLIMIT_FSIZE (bz 697981)
- exportfs manpage: Ipv6 update (bz 715078)
- mountd: Stop segfault in mtab code (bz 723438)
- exportfs: wilcards in exports can lead to unintended mounts (bz 715391)
- umount: allow spaces in unmount paths (bz 702273)
- specfile: reordered how libgssglue is linked in (bz 720479)

Comment 5 yanfu,wang 2012-05-07 06:31:22 UTC

The avc snippet log:
type=AVC msg=audit(1336372101.713:216): avc:  denied  { getattr } for  pid=7731 comm="rpc.mountd" path="/export/foosymlink" dev=dm-0 ino=2228227 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1336372101.713:216): arch=c000003e syscall=6 success=no exit=-13 a0=7fffbebc8c10 a1=7fffbebc8a10 a2=7fffbebc8a10 a3=ffffffffffffffa8 items=0 ppid=1 pid=7731 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(1336372101.714:217): avc:  denied  { read } for  pid=7731 comm="rpc.mountd" name="foosymlink" dev=dm-0 ino=2228227 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1336372101.714:217): arch=c000003e syscall=4 success=no exit=-13 a0=7f4d4c727bd0 a1=7fffbebc8b80 a2=7fffbebc8b80 a3=4000 items=0 ppid=1 pid=7731 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" subj=unconfined_u:system_r:nfsd_t:s0 key=(null)

Comment 6 yanfu,wang 2012-05-07 06:34:08 UTC

Created attachment 582536 [details]
/var/log/audit/audit.log for checking failed mount symbolic link exports

Comment 7 yanfu,wang 2012-05-07 06:44:59 UTC

(I added Daniel Walsh to CC list) 
hi Dan,
Could you help to look at comment #4 too?
when I tested using NFSv3 and NFSv2, mount.nfs got access denied with
symlink exports:
[root@sgi-xe320-01 ~]# mount -t nfs -o vers=3 localhost:/export/foosymlink/
/mnt
mount.nfs: access denied by server while mounting localhost:/export/foosymlink/

Mouting without symlink is ok:
[root@sgi-xe320-01 ~]# mount -t nfs -o vers=3 localhost:/export/ /mnt

Turn off selinux is ok too:
[root@sgi-xe320-01 ~]# setenforce 0
[root@sgi-xe320-01 ~]# mount -t nfs localhost:/export/foosymlink/ /mnt; echo $?
0

[root@sgi-xe320-01 ~]# ls -lZ /export/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 foodir
lrwxrwxrwx. root root unconfined_u:object_r:default_t:s0 foosymlink -> /export/foodir

And the /var/log/audit/audit.log pls check above comments, thanks.

Comment 8 Daniel Walsh 2012-05-07 14:12:14 UTC

chcon -t usr_t -r /export

Should fix.

Miroslav lets make the label of /export be usr_t.

Comment 9 yanfu,wang 2012-05-08 08:25:21 UTC

(In reply to comment #8)
> chcon -t usr_t -r /export
hi Daniel,
What's role followed by '-r'?
I run below and still got access denied:
# chcon -Rt usr_t /export/
# ls -lZ /export/
drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0   foodir
lrwxrwxrwx. root root unconfined_u:object_r:usr_t:s0   foosymlink -> /export/foodir
# mount -t nfs -o vers=3 localhost:/export/soft/ /mnt
mount.nfs: access denied by server while mounting localhost:/export/soft/

> 
> Should fix.
> 
> Miroslav lets make the label of /export be usr_t.
Could I confirm the above meaning?
If /export dir security context type should be usr_t when I create /export dir as export path?

Last question, is it selinux-policy component bug? If so, I will file a separate bug and stop discuss in this bug, thanks.

Comment 10 Daniel Walsh 2012-05-08 15:21:44 UTC

yanfu, yes -r just says recursive.  


If the mount command failed again what AVC did you see?

I believe this is an SELinux bug in that we should have labels for /export directory.

Comment 11 yanfu,wang 2012-05-09 03:11:32 UTC

(In reply to comment #10)
> yanfu, yes -r just says recursive.  
> 
> 
> If the mount command failed again what AVC did you see?
> 
> I believe this is an SELinux bug in that we should have labels for /export
> directory.

hi Daniel,
Thank you for your confirm.
I filed the SELinux bug https://bugzilla.redhat.com/show_bug.cgi?id=820057 to track on there. Since it's not related to this bug, so I will change the bug to VERIFIED.

Comment 12 errata-xmlrpc 2012-06-20 15:08:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0964.html

Note You need to log in before you can comment on or make changes to this bug.