Have you looked at this (might be outdated): http://selinuxproject.org/page/Labeled_NFS
On 09/15/2016 09:15 AM, Jason Zaman wrote:
> Hi All,
>
> I have kerberized NFSv4 between my laptop and server and when I use
> vers=4.2 I cannot access the mount. It looks like the fcontext needs to
> be invalidated or re-checked or something but I'm not familiar with
> kernel internals so not sure how to fix it (If someone can point me to
> the place, I'd love to get my hands dirty).
>
> Steps to repro:
> kinit works fine
> mount /home/jason/bregalad works fine, the fstab line is:
> bregalad.perfinion.com:/jason /home/jason/bregalad nfs4
> noauto,users,vers=4.2,sec=krb5p,rw,intr,soft,timeo=100,_netdev,fsc 0 0
>
> Once mounted as my normal user:
> $ ls -aldZ /home/jason/bregalad
> ls: cannot access /home/jason/bregalad: Permission denied
>
> I get the following denial:
> type=AVC msg=audit(1473923050.591:1577): avc: denied { getattr } for
> pid=7630 comm="ls" path="/home/jason/bregalad" dev="0:55" ino=4
> scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
> type=SYSCALL msg=audit(1473923050.591:1577): arch=c000003e syscall=6
> success=no exit=-13 a0=399b2bc22f2 a1=7a03d6e960 a2=7a03d6e960 a3=7a02aa8d7b
> items=1 ppid=6440 pid=7630 auid=1000 uid=1000 gid=100 euid=1000 suid=1000
> fsuid=1000 egid=100 sgid=100 fsgid=100 tty=pts3 ses=5 comm="ls" exe="/bin/ls"
> subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
> type=CWD msg=audit(1473923050.591:1577): cwd="/home/jason"
> type=PATH msg=audit(1473923050.591:1577): item=0 name="/home/jason/bregalad"
> inode=4 dev=00:37 mode=040711 ouid=1000 ogid=100 rdev=00:00
> obj=system_u:object_r:unlabeled_t:s0 nametype=NORMAL
> type=PROCTITLE msg=audit(1473923050.591:1577):
> proctitle=6C73002D46002D2D636F6C6F723D6175746F002D616C645A002F686F6D652F6A61736F6E2F62726567616C6164
>
> If I ls with sysadm_t (which has permissions for unlabeled_t) then the
> fcontext swaps to what it should be and everything works after that as
> staff_t too. I have not had issues with other dirs/files inside the NFS
> mount, only the mountpoint has this issue.
>
> As root / sysadm_t: # ls -aldZ /home/jason/bregalad
> drwx--x--x. 50 jason users staff_u:object_r:user_home_dir_t:s0 84 Sep 13
> 22:38 /home/jason/bregalad/
> As jason / staff_t: $ ls -aldZ /home/jason/bregalad
> drwx--x--x. 50 jason users staff_u:object_r:user_home_dir_t:s0 84 Sep 13
> 22:38 /home/jason/bregalad/
>
> $ uname -a
> Linux meriadoc 4.7.2-hardened-r1 #1 SMP PREEMPT Sat Sep 3 11:27:29 SGT 2016
> x86_64 Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz GenuineIntel GNU/Linux
> I'm on gentoo hardened but dont think GRSec is responsible here. I also had
> the same problem back on 4.4.
>
> Is there anything else that can help track this down?
> -- Jason
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
