Hi All,

I have kerberized NFSv4 between my laptop and server and when I use
vers=4.2 I cannot access the mount. It looks like the fcontext needs to
be invalidated or re-checked or something but I'm not familiar with
kernel internals so not sure how to fix it (If someone can point me to
the place, I'd love to get my hands dirty).

Steps to repro:
kinit works fine
mount /home/jason/bregalad works fine, the fstab line is:
bregalad.perfinion.com:/jason /home/jason/bregalad nfs4 
noauto,users,vers=4.2,sec=krb5p,rw,intr,soft,timeo=100,_netdev,fsc 0 0

Once mounted as my normal user:
$ ls -aldZ /home/jason/bregalad
ls: cannot access /home/jason/bregalad: Permission denied

I get the following denial:
type=AVC msg=audit(1473923050.591:1577): avc:  denied  { getattr } for  
pid=7630 comm="ls" path="/home/jason/bregalad" dev="0:55" ino=4 
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1473923050.591:1577): arch=c000003e syscall=6 success=no 
exit=-13 a0=399b2bc22f2 a1=7a03d6e960 a2=7a03d6e960 a3=7a02aa8d7b items=1 
ppid=6440 pid=7630 auid=1000 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 
egid=100 sgid=100 fsgid=100 tty=pts3 ses=5 comm="ls" exe="/bin/ls" 
subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1473923050.591:1577):  cwd="/home/jason"
type=PATH msg=audit(1473923050.591:1577): item=0 name="/home/jason/bregalad" 
inode=4 dev=00:37 mode=040711 ouid=1000 ogid=100 rdev=00:00 
obj=system_u:object_r:unlabeled_t:s0 nametype=NORMAL
type=PROCTITLE msg=audit(1473923050.591:1577): 
proctitle=6C73002D46002D2D636F6C6F723D6175746F002D616C645A002F686F6D652F6A61736F6E2F62726567616C6164

If I ls with sysadm_t (which has permissions for unlabeled_t) then the
fcontext swaps to what it should be and everything works after that as
staff_t too. I have not had issues with other dirs/files inside the NFS
mount, only the mountpoint has this issue. 

As root / sysadm_t: # ls -aldZ /home/jason/bregalad
drwx--x--x. 50 jason users staff_u:object_r:user_home_dir_t:s0 84 Sep 13 22:38 
/home/jason/bregalad/
As jason / staff_t: $ ls -aldZ /home/jason/bregalad
drwx--x--x. 50 jason users staff_u:object_r:user_home_dir_t:s0 84 Sep 13 22:38 
/home/jason/bregalad/

$ uname -a
Linux meriadoc 4.7.2-hardened-r1 #1 SMP PREEMPT Sat Sep 3 11:27:29 SGT 2016 
x86_64 Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz GenuineIntel GNU/Linux
I'm on gentoo hardened but dont think GRSec is responsible here. I also had the 
same problem back on 4.4.

Is there anything else that can help track this down?
-- Jason
_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Reply via email to