| 1 |
On Fri, 2010-07-16 at 21:30 +0200, Karl-Johan Karlsson wrote: |
| 2 |
> Hello, |
| 3 |
> |
| 4 |
> I'm trying to get SELinux running on my general home server. Up until now |
| 5 |
> following Gentoo's SELinux guide been going pretty well, and what problems |
| 6 |
> I've had I've solved and filed patches for in Bugzilla, but now I've hit a |
| 7 |
> problem I can't find a solution for: it seems the NFS server is running as |
| 8 |
> the wrong type. |
| 9 |
[...] |
| 10 |
> Sure enough, the nfsd kernel thread is running as kernel_t: |
| 11 |
> |
| 12 |
> # ps -A -o context,pid,user,command | grep [n]fs |
| 13 |
> system_u:system_r:kernel_t 556 root [nfsiod] |
| 14 |
> system_u:system_r:nfsd_t 28617 root /usr/sbin/rpc.mountd -p 2050 |
| 15 |
> system_u:system_r:kernel_t 28622 root [nfsd] |
| 16 |
> system_u:system_r:kernel_t 28623 root [nfsd] |
| 17 |
|
| 18 |
This is expected behavior. All kernel threads are kernel_t, so the |
| 19 |
kernel nfsd is also kernel_t. |
| 20 |
|
| 21 |
> even though the binary that starts it is labeled as nfsd_exec_t, just like |
| 22 |
> rpc.mountd, which runs as the correct type: |
| 23 |
> |
| 24 |
> # ls -Z --format=single-column /usr/sbin/rpc.* |
| 25 |
> system_u:object_r:nfsd_exec_t /usr/sbin/rpc.mountd |
| 26 |
> system_u:object_r:nfsd_exec_t /usr/sbin/rpc.nfsd |
| 27 |
|
| 28 |
rpc.nfsd is only a userspace helper component. The real server is the |
| 29 |
kernel thread. From the rpc.nfsd man page: |
| 30 |
|
| 31 |
"The rpc.nfsd program implements the user level part of the NFS service. |
| 32 |
The main functionality is handled by the nfsd kernel module. The |
| 33 |
userspace program merely specifies what sort of sockets the kernel |
| 34 |
service should listen on, what NFS versions it should support, and how |
| 35 |
many kernel threads it should use." |
| 36 |
|
| 37 |
> and there are standard rules in place which would allow these accesses if they |
| 38 |
> were done as nfsd_t: |
| 39 |
> |
| 40 |
> # sesearch --allow -s nfsd_t -t user_home_t |
| 41 |
> Found 11 semantic av rules: |
| 42 |
> allow nfsd_t file_type : filesystem getattr ; |
| 43 |
> allow nfsd_t file_type : dir { ioctl read getattr lock search open } ; |
| 44 |
> allow nfsd_t file_type : sock_file getattr ; |
| 45 |
> allow nfsd_t file_type : fifo_file getattr ; |
| 46 |
> allow nfsd_t user_home_t : file { ioctl read getattr lock open } ; |
| 47 |
> allow nfsd_t user_home_t : file { ioctl read write create getattr |
| 48 |
> setattr lock append unlink link rename open } ; |
| 49 |
> allow nfsd_t user_home_t : dir { ioctl read getattr lock search open } ; |
| 50 |
> allow nfsd_t user_home_t : dir { ioctl read write create getattr setattr |
| 51 |
> lock unlink link rename add_name remove_name reparent search rmdir open } ; |
| 52 |
> allow nfsd_t user_home_t : lnk_file { read create getattr setattr unlink |
| 53 |
> link rename } ; |
| 54 |
> allow nfsd_t user_home_t : sock_file { ioctl read write create getattr |
| 55 |
> setattr lock append unlink link rename open } ; |
| 56 |
> allow nfsd_t user_home_t : fifo_file { ioctl read write create getattr |
| 57 |
> setattr lock append unlink link rename open } ; |
| 58 |
|
| 59 |
I believe these are leftover from the times that people had the nfsd |
| 60 |
completely in userspace (no kernel nfsd). |
| 61 |
|
| 62 |
> Is there a way to get the kernel nfsd thread to run as nfsd_t instead of |
| 63 |
> kernel_t? |
| 64 |
|
| 65 |
No. You would have to run a completely userspace nfsd; I don't know if |
| 66 |
that is even supported anymore. The performance penalty would probably |
| 67 |
be prohibitive too. |
| 68 |
|
| 69 |
-- |
| 70 |
Chris PeBenito |
| 71 |
<pebenito@g.o> |
| 72 |
Developer, |
| 73 |
Hardened Gentoo Linux |
Archives