1 |
Hello, |
2 |
|
3 |
I'm trying to get SELinux running on my general home server. Up until now |
4 |
following Gentoo's SELinux guide been going pretty well, and what problems |
5 |
I've had I've solved and filed patches for in Bugzilla, but now I've hit a |
6 |
problem I can't find a solution for: it seems the NFS server is running as |
7 |
the wrong type. |
8 |
|
9 |
When I access the NFS /home shares from a client, the audit log fills up with |
10 |
denials, about which audit2allow has the following to say: |
11 |
|
12 |
#============= kernel_t ============== |
13 |
allow kernel_t home_ssh_t:dir { read write getattr search }; |
14 |
allow kernel_t home_ssh_t:file getattr; |
15 |
allow kernel_t httpd_user_content_t:lnk_file getattr; |
16 |
allow kernel_t nfsd_t:tcp_socket read; |
17 |
allow kernel_t screen_home_t:file getattr; |
18 |
allow kernel_t user_home_dir_t:dir { read write getattr search }; |
19 |
allow kernel_t user_home_t:dir { read write getattr search add_name }; |
20 |
allow kernel_t user_home_t:file { write getattr create setattr }; |
21 |
|
22 |
Sure enough, the nfsd kernel thread is running as kernel_t: |
23 |
|
24 |
# ps -A -o context,pid,user,command | grep [n]fs |
25 |
system_u:system_r:kernel_t 556 root [nfsiod] |
26 |
system_u:system_r:nfsd_t 28617 root /usr/sbin/rpc.mountd -p 2050 |
27 |
system_u:system_r:kernel_t 28622 root [nfsd] |
28 |
system_u:system_r:kernel_t 28623 root [nfsd] |
29 |
|
30 |
even though the binary that starts it is labeled as nfsd_exec_t, just like |
31 |
rpc.mountd, which runs as the correct type: |
32 |
|
33 |
# ls -Z --format=single-column /usr/sbin/rpc.* |
34 |
system_u:object_r:nfsd_exec_t /usr/sbin/rpc.mountd |
35 |
system_u:object_r:nfsd_exec_t /usr/sbin/rpc.nfsd |
36 |
|
37 |
and there are standard rules in place which would allow these accesses if they |
38 |
were done as nfsd_t: |
39 |
|
40 |
# sesearch --allow -s nfsd_t -t user_home_t |
41 |
Found 11 semantic av rules: |
42 |
allow nfsd_t file_type : filesystem getattr ; |
43 |
allow nfsd_t file_type : dir { ioctl read getattr lock search open } ; |
44 |
allow nfsd_t file_type : sock_file getattr ; |
45 |
allow nfsd_t file_type : fifo_file getattr ; |
46 |
allow nfsd_t user_home_t : file { ioctl read getattr lock open } ; |
47 |
allow nfsd_t user_home_t : file { ioctl read write create getattr |
48 |
setattr lock append unlink link rename open } ; |
49 |
allow nfsd_t user_home_t : dir { ioctl read getattr lock search open } ; |
50 |
allow nfsd_t user_home_t : dir { ioctl read write create getattr setattr |
51 |
lock unlink link rename add_name remove_name reparent search rmdir open } ; |
52 |
allow nfsd_t user_home_t : lnk_file { read create getattr setattr unlink |
53 |
link rename } ; |
54 |
allow nfsd_t user_home_t : sock_file { ioctl read write create getattr |
55 |
setattr lock append unlink link rename open } ; |
56 |
allow nfsd_t user_home_t : fifo_file { ioctl read write create getattr |
57 |
setattr lock append unlink link rename open } ; |
58 |
|
59 |
Is there a way to get the kernel nfsd thread to run as nfsd_t instead of |
60 |
kernel_t? |
61 |
|
62 |
-- |
63 |
Karl-Johan Karlsson |