118946 – NFSD won't serve files

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 118946 - NFSD won't serve files

Summary: NFSD won't serve files

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	policy
Sub Component:
Version:	rawhide
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	FC2Blocker
TreeView+	depends on / blocked

Reported:	2004-03-23 01:22 UTC by G.Wolfe Woodbury
Modified:	2007-11-30 22:10 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-04-06 23:52:08 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description G.Wolfe Woodbury 2004-03-23 01:22:44 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031114

Description of problem:
with selinux enabled, nfsd won't read the partition being served and
also refuses connections.  /var/log/messages reports lots of AVCs for
no read for nfsd.

Version-Release number of selected component (if applicable):
2.1.253.1

How reproducible:
Always

Steps to Reproduce:
1. Install from development
2. export a filesystem (e.g. /srv)
3. attempt to connect
    

Actual Results:  AVCs for ( read ) for nfsd processes  and client
reports permission denied

Expected Results:  normal file serving

Additional info:

I have a /srv partition with the development tree mirrored and selinux
default permissions under 1.9 policy won't allow normal user access or
nfsd access.  This may be the same cause as other bugs I've reported.

Comment 1 Daniel Walsh 2004-03-23 10:55:42 UTC

Could you include the avc messages?

Comment 2 G.Wolfe Woodbury 2004-03-23 13:13:11 UTC

The avc messages are 14 MB at the moment,
they are at:

http://wolves.homeip.net/~ggw/texts/nfsd.avc

Comment 3 Daniel Walsh 2004-03-25 02:28:23 UTC

Fixed in policy-1.9-15

Comment 4 G.Wolfe Woodbury 2004-03-27 08:37:25 UTC

under policy 1.9-15 I get "permission denied" from the mounting
machine no matter what sort of shenanigans I play with the firewall
and permissions.

/etc/exports:
/srv                  10.11.12.0/255.255.255.0(rw,sync,no_root_squash)
/home/Fedora          10.11.12.0/255.255.255.0(rw,sync)

avc's when starting NFSd:
Mar 27 03:31:38 tembo kernel: audit(1080376298.281:0): avc:  denied  {
getattr } for  pid=2299 exe=/usr/sbin/exportfs path=/srv dev=hdb3
ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:default_t tclass=dir
Mar 27 03:31:38 tembo kernel: audit(1080376298.283:0): avc:  denied  {
getattr } for  pid=2299 exe=/usr/sbin/exportfs path=/home dev=hda6
ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:home_root_t tclass=dir
Mar 27 03:31:38 tembo nfs: Starting NFS services:  succeeded
Mar 27 03:31:38 tembo nfs: rpc.rquotad startup succeeded
Mar 27 03:31:38 tembo kernel: Installing knfsd (copyright (C) 1996
okir.de).
Mar 27 03:31:39 tembo kernel: SELinux: initialized (dev , type nfsd),
uses genfs_contexts
Mar 27 03:31:39 tembo nfs: rpc.nfsd startup succeeded
Mar 27 03:31:39 tembo kernel: audit(1080376299.212:0): avc:  denied  {
getattr } for  pid=2323 exe=/usr/sbin/rpc.mountd path=/home dev=hda6
ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:home_root_t tclass=dir
Mar 27 03:31:39 tembo kernel: audit(1080376299.214:0): avc:  denied  {
getattr } for  pid=2323 exe=/usr/sbin/rpc.mountd path=/srv dev=hdb3
ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:default_t tclass=dir
Mar 27 03:31:39 tembo nfs: rpc.mountd startup succeeded
Mar 27 03:32:19 tembo kernel: audit(1080376339.645:0): avc:  denied  {
getattr } for  pid=2324 exe=/usr/sbin/rpc.mountd path=/srv dev=hdb3
ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:default_t tclass=dir
Mar 27 03:32:19 tembo rpc.mountd: authenticated mount request from
wolves.private:822 for /srv (/srv)
Mar 27 03:32:19 tembo kernel: audit(1080376339.767:0): avc:  denied  {
getattr } for  pid=2324 exe=/usr/sbin/rpc.mountd path=/srv dev=hdb3
ino=2 scontext=root:system_r:nfsd_t
tcontext=system_u:object_r:default_t tclass=dir
Mar 27 03:32:19 tembo rpc.mountd: can't stat exported dir /srv:
Permission denied

ls -Z for /srv:
drwxrwsrwx  ggw      ggw      system_u:object_r:default_t      srv

ls -Z for /usr/sbin/rpc.nfsd
-rwxr-xr-x+ root     root     system_u:object_r:nfsd_exec_t 
                                                   /usr/sbin/rpc.nfsd

Comment 5 G.Wolfe Woodbury 2004-04-06 23:52:08 UTC

As of policy 1.9.2-12 in enforcing mode, NFS mount from another
machine works as specified.

Note You need to log in before you can comment on or make changes to this bug.