| 1 |
On Mon, 2008-02-25 at 17:17 +0100, xake@×××××××××.net wrote: |
| 2 |
> > |
| 3 |
> > I changed the context to public_content_t (chcon -R -t |
| 4 |
> > public_content_t /data/library) and restarted ths services. Still |
| 5 |
> > getting denied. |
| 6 |
> > |
| 7 |
> > Is there another context I could try? |
| 8 |
> |
| 9 |
> There are other contexts, but if this did not work, then I do not think |
| 10 |
> they will do better. |
| 11 |
|
| 12 |
If the exported content is specific to nfs, and not used by other |
| 13 |
daemons on the server (eg samba) then the best choice would be either |
| 14 |
nfsd_ro_t or nfsd_rw_t. Unfortunately that doesn't do anything for this |
| 15 |
problem: |
| 16 |
|
| 17 |
> > I noticed there are two denies: |
| 18 |
> > |
| 19 |
> > audit(1203946085.696:201): avc: denied { getattr } for pid=10453 |
| 20 |
> > comm="rpc.mountd" path="/dev/sda2" dev=tmpfs ino=3372 |
| 21 |
> > scontext=user_u:system_r:nfsd_t |
| 22 |
> > tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file |
| 23 |
> > |
| 24 |
> > audit(1203946085.696:202): avc: denied { read } for pid=10453 |
| 25 |
> > comm="rpc.mountd" name="sdb1" dev=tmpfs ino=2553 |
| 26 |
> > scontext=user_u:system_r:nfsd_t |
| 27 |
> > tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file |
| 28 |
> > |
| 29 |
> > sda2 is my swap partiton and as I mentioned before /dev/sdb1 is the |
| 30 |
> > the /data partition on the server. Odd problem. |
| 31 |
> > |
| 32 |
> |
| 33 |
> As I can see the strange thing is that rpc.mountd tries to access |
| 34 |
> /dev/sd{a2,b1} on your system. I can not really see why it tries that. |
| 35 |
|
| 36 |
Agreed. There is no reason that I know of that mountd should need raw |
| 37 |
disk access. I glanced through the mountd code and I think it may be |
| 38 |
related to uuid/libblkid support, but I would need to investigate |
| 39 |
further. |
| 40 |
|
| 41 |
The reason you got an assertion violation when you tried your local |
| 42 |
config is because we add an extra protection in the policy since this is |
| 43 |
a dangerous access to allow. You can allow this by using |
| 44 |
storage_raw_read_fixed_disk(nfsd_t) to get your system going. Though |
| 45 |
I'm still interesting in finding out whats happening, especially since |
| 46 |
the fedora policy dontaudits this access. |
| 47 |
|
| 48 |
-- |
| 49 |
Chris PeBenito |
| 50 |
<pebenito@g.o> |
| 51 |
Developer, |
| 52 |
Hardened Gentoo Linux |
| 53 |
|
| 54 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 55 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives