1 |
I'm missing some important piece of how to properly mount NFS |
2 |
filesystems under SELinux. I can get the filesystem to mount, but if I |
3 |
try to access it, I get permission denied. Additionally, doing ls -dZ |
4 |
on the mount point shows (none) as the label. The avc denial is: |
5 |
|
6 |
Oct 19 10:34:48 dynamo audit(1129732488.176:905): avc: denied { read |
7 |
} for pid=12648 comm="ls" name="/" dev=0:e ino=7214560 |
8 |
scontext=adustman:sysadm_r:sysadm_t tcontext=system_u:object_r:nfs_t |
9 |
tclass=dir |
10 |
|
11 |
So I'm guessing it's labeled nfs_t as would be expected, but even |
12 |
getting the label is not allowed for the context. |
13 |
|
14 |
# grep nfs_t policy.conf |
15 |
type var_lib_nfs_t, file_type, sysadmfile, usercanread; |
16 |
# nfs_t is the default type for NFS file systems |
17 |
type nfs_t, fs_type; |
18 |
allow nfs_t self:filesystem associate; |
19 |
allow file_type nfs_t:filesystem associate; |
20 |
allow consoletype_t nfs_t:file write; |
21 |
allow mount_t nfs_t:dir mounton; |
22 |
allow mount_t nfs_t:dir search; |
23 |
allow mount_t var_lib_nfs_t:dir mounton; |
24 |
dontaudit { file_type noexattrfile nfs_t } self:pax *; |
25 |
allow rpcd_t var_lib_nfs_t:dir { create read getattr lock setattr |
26 |
ioctl link unlink rename search add_name remove_name reparent write |
27 |
rmdir }; |
28 |
allow rpcd_t var_lib_nfs_t:file { create ioctl read getattr lock write |
29 |
setattr append link unlink rename }; |
30 |
allow nfsd_t var_lib_nfs_t:dir { create read getattr lock setattr |
31 |
ioctl link unlink rename search add_name remove_name reparent write |
32 |
rmdir }; |
33 |
allow nfsd_t var_lib_nfs_t:file { create ioctl read getattr lock write |
34 |
setattr append link unlink rename }; |
35 |
genfscon nfs / system_u:object_r:nfs_t |
36 |
genfscon nfs4 / system_u:object_r:nfs_t |
37 |
genfscon afs / system_u:object_r:nfs_t |
38 |
|
39 |
[ Searching for package 'selinux' in all categories among: ] |
40 |
* installed packages |
41 |
[I--] [ ] sec-policy/selinux-base-policy-20050821 (0) |
42 |
[I--] [ ] sec-policy/selinux-portmap-20050908 (0) |
43 |
[I--] [ ] sec-policy/selinux-nfs-20040501 (0) |
44 |
|
45 |
I'm aware of the need for NFS extensions on the client and server in |
46 |
order to fully-implement file labelling. The server in this case is a |
47 |
NetApp Filer, so I don't expect it to magically work. From what I am |
48 |
able to tell, all the files should be labeled nfs_t, but I'm not |
49 |
really sure about this, based on tunable.te, i.e. nfs_portdir and |
50 |
nfs_home_dirs. |
51 |
-- |
52 |
Computer interfaces should never be made of meat. |
53 |
http://www.terrybisson.com/meat.html |
54 |
|
55 |
-- |
56 |
gentoo-hardened@g.o mailing list |