| 1 |
Hello, |
| 2 |
|
| 3 |
I'm trying to get SELinux running on my general home server. Up until now |
| 4 |
following Gentoo's SELinux guide been going pretty well, and what problems |
| 5 |
I've had I've solved and filed patches for in Bugzilla, but now I've hit a |
| 6 |
problem I can't find a solution for: it seems the NFS server is running as |
| 7 |
the wrong type. |
| 8 |
|
| 9 |
When I access the NFS /home shares from a client, the audit log fills up with |
| 10 |
denials, about which audit2allow has the following to say: |
| 11 |
|
| 12 |
#============= kernel_t ============== |
| 13 |
allow kernel_t home_ssh_t:dir { read write getattr search }; |
| 14 |
allow kernel_t home_ssh_t:file getattr; |
| 15 |
allow kernel_t httpd_user_content_t:lnk_file getattr; |
| 16 |
allow kernel_t nfsd_t:tcp_socket read; |
| 17 |
allow kernel_t screen_home_t:file getattr; |
| 18 |
allow kernel_t user_home_dir_t:dir { read write getattr search }; |
| 19 |
allow kernel_t user_home_t:dir { read write getattr search add_name }; |
| 20 |
allow kernel_t user_home_t:file { write getattr create setattr }; |
| 21 |
|
| 22 |
Sure enough, the nfsd kernel thread is running as kernel_t: |
| 23 |
|
| 24 |
# ps -A -o context,pid,user,command | grep [n]fs |
| 25 |
system_u:system_r:kernel_t 556 root [nfsiod] |
| 26 |
system_u:system_r:nfsd_t 28617 root /usr/sbin/rpc.mountd -p 2050 |
| 27 |
system_u:system_r:kernel_t 28622 root [nfsd] |
| 28 |
system_u:system_r:kernel_t 28623 root [nfsd] |
| 29 |
|
| 30 |
even though the binary that starts it is labeled as nfsd_exec_t, just like |
| 31 |
rpc.mountd, which runs as the correct type: |
| 32 |
|
| 33 |
# ls -Z --format=single-column /usr/sbin/rpc.* |
| 34 |
system_u:object_r:nfsd_exec_t /usr/sbin/rpc.mountd |
| 35 |
system_u:object_r:nfsd_exec_t /usr/sbin/rpc.nfsd |
| 36 |
|
| 37 |
and there are standard rules in place which would allow these accesses if they |
| 38 |
were done as nfsd_t: |
| 39 |
|
| 40 |
# sesearch --allow -s nfsd_t -t user_home_t |
| 41 |
Found 11 semantic av rules: |
| 42 |
allow nfsd_t file_type : filesystem getattr ; |
| 43 |
allow nfsd_t file_type : dir { ioctl read getattr lock search open } ; |
| 44 |
allow nfsd_t file_type : sock_file getattr ; |
| 45 |
allow nfsd_t file_type : fifo_file getattr ; |
| 46 |
allow nfsd_t user_home_t : file { ioctl read getattr lock open } ; |
| 47 |
allow nfsd_t user_home_t : file { ioctl read write create getattr |
| 48 |
setattr lock append unlink link rename open } ; |
| 49 |
allow nfsd_t user_home_t : dir { ioctl read getattr lock search open } ; |
| 50 |
allow nfsd_t user_home_t : dir { ioctl read write create getattr setattr |
| 51 |
lock unlink link rename add_name remove_name reparent search rmdir open } ; |
| 52 |
allow nfsd_t user_home_t : lnk_file { read create getattr setattr unlink |
| 53 |
link rename } ; |
| 54 |
allow nfsd_t user_home_t : sock_file { ioctl read write create getattr |
| 55 |
setattr lock append unlink link rename open } ; |
| 56 |
allow nfsd_t user_home_t : fifo_file { ioctl read write create getattr |
| 57 |
setattr lock append unlink link rename open } ; |
| 58 |
|
| 59 |
Is there a way to get the kernel nfsd thread to run as nfsd_t instead of |
| 60 |
kernel_t? |
| 61 |
|
| 62 |
-- |
| 63 |
Karl-Johan Karlsson |
Archives