1 |
On Mon, 2008-02-25 at 17:17 +0100, xake@×××××××××.net wrote: |
2 |
> > |
3 |
> > I changed the context to public_content_t (chcon -R -t |
4 |
> > public_content_t /data/library) and restarted ths services. Still |
5 |
> > getting denied. |
6 |
> > |
7 |
> > Is there another context I could try? |
8 |
> |
9 |
> There are other contexts, but if this did not work, then I do not think |
10 |
> they will do better. |
11 |
|
12 |
If the exported content is specific to nfs, and not used by other |
13 |
daemons on the server (eg samba) then the best choice would be either |
14 |
nfsd_ro_t or nfsd_rw_t. Unfortunately that doesn't do anything for this |
15 |
problem: |
16 |
|
17 |
> > I noticed there are two denies: |
18 |
> > |
19 |
> > audit(1203946085.696:201): avc: denied { getattr } for pid=10453 |
20 |
> > comm="rpc.mountd" path="/dev/sda2" dev=tmpfs ino=3372 |
21 |
> > scontext=user_u:system_r:nfsd_t |
22 |
> > tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file |
23 |
> > |
24 |
> > audit(1203946085.696:202): avc: denied { read } for pid=10453 |
25 |
> > comm="rpc.mountd" name="sdb1" dev=tmpfs ino=2553 |
26 |
> > scontext=user_u:system_r:nfsd_t |
27 |
> > tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file |
28 |
> > |
29 |
> > sda2 is my swap partiton and as I mentioned before /dev/sdb1 is the |
30 |
> > the /data partition on the server. Odd problem. |
31 |
> > |
32 |
> |
33 |
> As I can see the strange thing is that rpc.mountd tries to access |
34 |
> /dev/sd{a2,b1} on your system. I can not really see why it tries that. |
35 |
|
36 |
Agreed. There is no reason that I know of that mountd should need raw |
37 |
disk access. I glanced through the mountd code and I think it may be |
38 |
related to uuid/libblkid support, but I would need to investigate |
39 |
further. |
40 |
|
41 |
The reason you got an assertion violation when you tried your local |
42 |
config is because we add an extra protection in the policy since this is |
43 |
a dangerous access to allow. You can allow this by using |
44 |
storage_raw_read_fixed_disk(nfsd_t) to get your system going. Though |
45 |
I'm still interesting in finding out whats happening, especially since |
46 |
the fedora policy dontaudits this access. |
47 |
|
48 |
-- |
49 |
Chris PeBenito |
50 |
<pebenito@g.o> |
51 |
Developer, |
52 |
Hardened Gentoo Linux |
53 |
|
54 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
55 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |