Hello,
I'm trying to get SELinux running on my general home server. Up until now
following Gentoo's SELinux guide been going pretty well, and what problems
I've had I've solved and filed patches for in Bugzilla, but now I've hit a
problem I can't find a solution for: it seems the NFS server is running as
the wrong type.
When I access the NFS /home shares from a client, the audit log fills up with
denials, about which audit2allow has the following to say:
#============= kernel_t ==============
allow kernel_t home_ssh_t:dir { read write getattr search };
allow kernel_t home_ssh_t:file getattr;
allow kernel_t httpd_user_content_t:lnk_file getattr;
allow kernel_t nfsd_t:tcp_socket read;
allow kernel_t screen_home_t:file getattr;
allow kernel_t user_home_dir_t:dir { read write getattr search };
allow kernel_t user_home_t:dir { read write getattr search add_name };
allow kernel_t user_home_t:file { write getattr create setattr };
Sure enough, the nfsd kernel thread is running as kernel_t:
# ps -A -o context,pid,user,command | grep [n]fs
system_u:system_r:kernel_t 556 root [nfsiod]
system_u:system_r:nfsd_t 28617 root /usr/sbin/rpc.mountd -p 2050
system_u:system_r:kernel_t 28622 root [nfsd]
system_u:system_r:kernel_t 28623 root [nfsd]
even though the binary that starts it is labeled as nfsd_exec_t, just like
rpc.mountd, which runs as the correct type:
# ls -Z --format=single-column /usr/sbin/rpc.*
system_u:object_r:nfsd_exec_t /usr/sbin/rpc.mountd
system_u:object_r:nfsd_exec_t /usr/sbin/rpc.nfsd
and there are standard rules in place which would allow these accesses if they
were done as nfsd_t:
# sesearch --allow -s nfsd_t -t user_home_t
Found 11 semantic av rules:
allow nfsd_t file_type : filesystem getattr ;
allow nfsd_t file_type : dir { ioctl read getattr lock search open } ;
allow nfsd_t file_type : sock_file getattr ;
allow nfsd_t file_type : fifo_file getattr ;
allow nfsd_t user_home_t : file { ioctl read getattr lock open } ;
allow nfsd_t user_home_t : file { ioctl read write create getattr
setattr lock append unlink link rename open } ;
allow nfsd_t user_home_t : dir { ioctl read getattr lock search open } ;
allow nfsd_t user_home_t : dir { ioctl read write create getattr setattr
lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow nfsd_t user_home_t : lnk_file { read create getattr setattr unlink
link rename } ;
allow nfsd_t user_home_t : sock_file { ioctl read write create getattr
setattr lock append unlink link rename open } ;
allow nfsd_t user_home_t : fifo_file { ioctl read write create getattr
setattr lock append unlink link rename open } ;
Is there a way to get the kernel nfsd thread to run as nfsd_t instead of
kernel_t?
--
Karl-Johan Karlsson
