| 1 |
I am not an expert in the NFS area but I used to have |
| 2 |
the same problem. I was able to mount the NFS share but |
| 3 |
I could not see the content of the share folder. |
| 4 |
|
| 5 |
One thing I check was the R and W access to that particular |
| 6 |
NFS folder. |
| 7 |
|
| 8 |
Maybe you should chek that... |
| 9 |
|
| 10 |
|
| 11 |
Alfredito |
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
On 10:54 Wed 19 Oct , Andy Dustman wrote: |
| 17 |
> I'm missing some important piece of how to properly mount NFS |
| 18 |
> filesystems under SELinux. I can get the filesystem to mount, but if I |
| 19 |
> try to access it, I get permission denied. Additionally, doing ls -dZ |
| 20 |
> on the mount point shows (none) as the label. The avc denial is: |
| 21 |
> |
| 22 |
> Oct 19 10:34:48 dynamo audit(1129732488.176:905): avc: denied { read |
| 23 |
> } for pid=12648 comm="ls" name="/" dev=0:e ino=7214560 |
| 24 |
> scontext=adustman:sysadm_r:sysadm_t tcontext=system_u:object_r:nfs_t |
| 25 |
> tclass=dir |
| 26 |
> |
| 27 |
> So I'm guessing it's labeled nfs_t as would be expected, but even |
| 28 |
> getting the label is not allowed for the context. |
| 29 |
> |
| 30 |
> # grep nfs_t policy.conf |
| 31 |
> type var_lib_nfs_t, file_type, sysadmfile, usercanread; |
| 32 |
> # nfs_t is the default type for NFS file systems |
| 33 |
> type nfs_t, fs_type; |
| 34 |
> allow nfs_t self:filesystem associate; |
| 35 |
> allow file_type nfs_t:filesystem associate; |
| 36 |
> allow consoletype_t nfs_t:file write; |
| 37 |
> allow mount_t nfs_t:dir mounton; |
| 38 |
> allow mount_t nfs_t:dir search; |
| 39 |
> allow mount_t var_lib_nfs_t:dir mounton; |
| 40 |
> dontaudit { file_type noexattrfile nfs_t } self:pax *; |
| 41 |
> allow rpcd_t var_lib_nfs_t:dir { create read getattr lock setattr |
| 42 |
> ioctl link unlink rename search add_name remove_name reparent write |
| 43 |
> rmdir }; |
| 44 |
> allow rpcd_t var_lib_nfs_t:file { create ioctl read getattr lock write |
| 45 |
> setattr append link unlink rename }; |
| 46 |
> allow nfsd_t var_lib_nfs_t:dir { create read getattr lock setattr |
| 47 |
> ioctl link unlink rename search add_name remove_name reparent write |
| 48 |
> rmdir }; |
| 49 |
> allow nfsd_t var_lib_nfs_t:file { create ioctl read getattr lock write |
| 50 |
> setattr append link unlink rename }; |
| 51 |
> genfscon nfs / system_u:object_r:nfs_t |
| 52 |
> genfscon nfs4 / system_u:object_r:nfs_t |
| 53 |
> genfscon afs / system_u:object_r:nfs_t |
| 54 |
> |
| 55 |
> [ Searching for package 'selinux' in all categories among: ] |
| 56 |
> * installed packages |
| 57 |
> [I--] [ ] sec-policy/selinux-base-policy-20050821 (0) |
| 58 |
> [I--] [ ] sec-policy/selinux-portmap-20050908 (0) |
| 59 |
> [I--] [ ] sec-policy/selinux-nfs-20040501 (0) |
| 60 |
> |
| 61 |
> I'm aware of the need for NFS extensions on the client and server in |
| 62 |
> order to fully-implement file labelling. The server in this case is a |
| 63 |
> NetApp Filer, so I don't expect it to magically work. From what I am |
| 64 |
> able to tell, all the files should be labeled nfs_t, but I'm not |
| 65 |
> really sure about this, based on tunable.te, i.e. nfs_portdir and |
| 66 |
> nfs_home_dirs. |
| 67 |
> -- |
| 68 |
> Computer interfaces should never be made of meat. |
| 69 |
> http://www.terrybisson.com/meat.html |
| 70 |
> |
| 71 |
> -- |
| 72 |
> gentoo-hardened@g.o mailing list |
| 73 |
|
| 74 |
-- |
| 75 |
gentoo-hardened@g.o mailing list |
Archives