1 |
I am not an expert in the NFS area but I used to have |
2 |
the same problem. I was able to mount the NFS share but |
3 |
I could not see the content of the share folder. |
4 |
|
5 |
One thing I check was the R and W access to that particular |
6 |
NFS folder. |
7 |
|
8 |
Maybe you should chek that... |
9 |
|
10 |
|
11 |
Alfredito |
12 |
|
13 |
|
14 |
|
15 |
|
16 |
On 10:54 Wed 19 Oct , Andy Dustman wrote: |
17 |
> I'm missing some important piece of how to properly mount NFS |
18 |
> filesystems under SELinux. I can get the filesystem to mount, but if I |
19 |
> try to access it, I get permission denied. Additionally, doing ls -dZ |
20 |
> on the mount point shows (none) as the label. The avc denial is: |
21 |
> |
22 |
> Oct 19 10:34:48 dynamo audit(1129732488.176:905): avc: denied { read |
23 |
> } for pid=12648 comm="ls" name="/" dev=0:e ino=7214560 |
24 |
> scontext=adustman:sysadm_r:sysadm_t tcontext=system_u:object_r:nfs_t |
25 |
> tclass=dir |
26 |
> |
27 |
> So I'm guessing it's labeled nfs_t as would be expected, but even |
28 |
> getting the label is not allowed for the context. |
29 |
> |
30 |
> # grep nfs_t policy.conf |
31 |
> type var_lib_nfs_t, file_type, sysadmfile, usercanread; |
32 |
> # nfs_t is the default type for NFS file systems |
33 |
> type nfs_t, fs_type; |
34 |
> allow nfs_t self:filesystem associate; |
35 |
> allow file_type nfs_t:filesystem associate; |
36 |
> allow consoletype_t nfs_t:file write; |
37 |
> allow mount_t nfs_t:dir mounton; |
38 |
> allow mount_t nfs_t:dir search; |
39 |
> allow mount_t var_lib_nfs_t:dir mounton; |
40 |
> dontaudit { file_type noexattrfile nfs_t } self:pax *; |
41 |
> allow rpcd_t var_lib_nfs_t:dir { create read getattr lock setattr |
42 |
> ioctl link unlink rename search add_name remove_name reparent write |
43 |
> rmdir }; |
44 |
> allow rpcd_t var_lib_nfs_t:file { create ioctl read getattr lock write |
45 |
> setattr append link unlink rename }; |
46 |
> allow nfsd_t var_lib_nfs_t:dir { create read getattr lock setattr |
47 |
> ioctl link unlink rename search add_name remove_name reparent write |
48 |
> rmdir }; |
49 |
> allow nfsd_t var_lib_nfs_t:file { create ioctl read getattr lock write |
50 |
> setattr append link unlink rename }; |
51 |
> genfscon nfs / system_u:object_r:nfs_t |
52 |
> genfscon nfs4 / system_u:object_r:nfs_t |
53 |
> genfscon afs / system_u:object_r:nfs_t |
54 |
> |
55 |
> [ Searching for package 'selinux' in all categories among: ] |
56 |
> * installed packages |
57 |
> [I--] [ ] sec-policy/selinux-base-policy-20050821 (0) |
58 |
> [I--] [ ] sec-policy/selinux-portmap-20050908 (0) |
59 |
> [I--] [ ] sec-policy/selinux-nfs-20040501 (0) |
60 |
> |
61 |
> I'm aware of the need for NFS extensions on the client and server in |
62 |
> order to fully-implement file labelling. The server in this case is a |
63 |
> NetApp Filer, so I don't expect it to magically work. From what I am |
64 |
> able to tell, all the files should be labeled nfs_t, but I'm not |
65 |
> really sure about this, based on tunable.te, i.e. nfs_portdir and |
66 |
> nfs_home_dirs. |
67 |
> -- |
68 |
> Computer interfaces should never be made of meat. |
69 |
> http://www.terrybisson.com/meat.html |
70 |
> |
71 |
> -- |
72 |
> gentoo-hardened@g.o mailing list |
73 |
|
74 |
-- |
75 |
gentoo-hardened@g.o mailing list |