Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Loren Bandiera <lorenb@××××××××××××××.com>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] SELinux and NFS
Date: Mon, 25 Feb 2008 16:25:12
Message-Id: 1203956710.19160.4.camel@war.lorenb.net
In Reply to: Re: [gentoo-hardened] SELinux and NFS by xake@rymdraket.net
1 On Mon, 2008-02-25 at 17:17 +0100, xake@×××××××××.net wrote:
2 > As I can see the strange thing is that rpc.mountd tries to access
3 > /dev/sd{a2,b1} on your system. I can not really see why it tries
4 > that.
5 > You can remove the ending "0 0" in your /etc/fstab for the nfs-
6 > shares,
7 > but I do not see how that would change things.
8
9 I'll try that later on.
10
11 > Just to clear out some things:
12 > Are you able to mount the shares on the client?
13 > DOes it work and what messages do you get in dmesg if you connect
14 > with
15 > SELinux in non-enforce mode?
16
17 I am able to mount/use the shares on the client if SELinux is disabled
18 or in permissive mode.
19
20 In permissive mode, I get the following messages on the server's dmesg
21 when I try to access the mount from a client:
22
23 audit(1203952206.545:207): avc: denied { getattr } for pid=10453
24 comm="rpc.mountd" path="/dev/sda2" dev=tmpfs ino=3372
25 scontext=user_u:system_r:nfsd_t
26 tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
27
28 audit(1203952206.545:208): avc: denied { read } for pid=10453
29 comm="rpc.mountd" name="sdb1" dev=tmpfs ino=2553
30 scontext=user_u:system_r:nfsd_t
31 tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
32
33 audit(1203956454.493:209): avc: denied { getattr } for pid=10453
34 comm="rpc.mountd" path="/dev/sda2" dev=tmpfs ino=3372
35 scontext=user_u:system_r:nfsd_t
36 tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
37
38 audit(1203956454.493:210): avc: denied { read } for pid=10453
39 comm="rpc.mountd" name="sdb1" dev=tmpfs ino=2553
40 scontext=user_u:system_r:nfsd_t
41 tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
42
43 --
44 Loren Bandiera <lorenb@××××××××××××××.com>
45 LB Technology Services, Inc.
46
47
48 --
49 gentoo-hardened@l.g.o mailing list
Report Message
Find on MARC Find on Google Groups