Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 162349 - Policy prevents NFS exporting CDs
Summary: Policy prevents NFS exporting CDs
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-07-02 23:15 UTC by Pete Chown
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 1.25.4-10.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-09-15 15:58:28 UTC

Attachments (Terms of Use)

Description Pete Chown 2005-07-02 23:15:08 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
When the targeted policy is loaded, the NFS daemon is denied access to iso9660_t, preventing it exporting mounted CDs or CD images.  There also doesn't seem to be a way of disabling SELinux protection for NFS, whereas there is a way for all the other daemons.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Mount a CD.
2. Configure NFS to export the directory where the CD is mounted.
3. Enable targeted policy.
4. Mount the directory exported at (2) above from another machine.

Actual Results:  AVC message in the audit log.

Expected Results:  The directory should have been mounted.

Additional info:

Comment 1 Daniel Walsh 2005-07-03 15:22:59 UTC
Fixed in selinux-policy-targeted-1.24-3

Comment 2 Pete Chown 2005-07-11 20:04:35 UTC
I've just updated to selinux-policy-targeted-1.24-3 and retested this.  I
haven't yet tried to export a mounted physical CD, but exporting mounted CD
images still doesn't work.  I managed to get this working by adding

allow nfsd_t iso9660_t:dir getattr;

to my local policy.  Hope this helps, let me know if you need more information
about my setup.

Comment 3 Daniel Walsh 2005-07-11 20:19:11 UTC
What is the current settings of your booleans?

getsebool -a | grep nfs

Comment 4 Pete Chown 2005-07-11 20:31:18 UTC

The NFS booleans are:

nfs_export_all_ro --> active
nfs_export_all_rw --> active
nfsd_disable_trans --> inactive
use_nfs_home_dirs --> inactive


Note You need to log in before you can comment on or make changes to this bug.