View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0018292CentOS-7nfs-utilspublic2021-08-31 11:302021-09-10 08:41
Reporterberthierp Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Product Version7.9.2009 
Summary0018292: SELinux is preventing /usr/sbin/rpc.mountd from using the chown capability
DescriptionMy logs get flooded with those messages below.

python: SELinux is preventing /usr/sbin/rpc.mountd from using the chown capability

python: SELinux is preventing rpc.mountd from using the fowner capability

Detailed messages with sealert:

SELinux is preventing /usr/sbin/rpc.mountd from using the chown capability.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that rpc.mountd should have the chown capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rpc.mountd' --raw | audit2allow -M my-rpcmountd
# semodule -i my-rpcmountd.pp


Additional Information:
Source Context system_u:system_r:nfsd_t:s0
Target Context system_u:system_r:nfsd_t:s0
Target Objects Unknown [ capability ]
Source rpc.mountd
Source Path /usr/sbin/rpc.mountd
Port <Unknown>
Host MYHOSTNAMEEDITED
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-268.el7_9.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name MYHOSTNAMEEDITED
Platform Linux MYHOSTNAMEEDITED
                              3.10.0-1160.31.1.el7.x86_64 #1 SMP Thu Jun 10
                              13:32:12 UTC 2021 x86_64 x86_64
Alert Count 344618
First Seen 2021-05-03 09:35:04 CEST
Last Seen 2021-08-31 13:25:02 CEST
Local ID a40df66a-e89f-46e3-9231-7bb8d19ff37e

Raw Audit Messages
type=AVC msg=audit(1630409102.502:30989914): avc: denied { chown } for pid=1665 comm="rpc.mountd" capabil
ity=0 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability permissiv
e=0


Hash: rpc.mountd,nfsd_t,nfsd_t,capability,chown




SELinux is preventing rpc.mountd from using the fowner capability.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that rpc.mountd should have the fowner capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rpc.mountd' --raw | audit2allow -M my-rpcmountd
# semodule -i my-rpcmountd.pp


Additional Information:
Source Context system_u:system_r:nfsd_t:s0
Target Context system_u:system_r:nfsd_t:s0
Target Objects Unknown [ capability ]
Source rpc.mountd
Source Path rpc.mountd
Port <Unknown>
Host MYHOSTNAMEEDITED
Source RPM Packages nfs-utils-1.3.0-0.68.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-268.el7_9.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name MYHOSTNAMEEDITED
Platform Linux MYHOSTNAMEEDITED
                              3.10.0-1160.31.1.el7.x86_64 #1 SMP Thu Jun 10
                              13:32:12 UTC 2021 x86_64 x86_64
Alert Count 28618
First Seen 2021-05-03 09:35:04 CEST
Last Seen 2021-08-31 13:24:37 CEST
Local ID 9c2f564a-e3f6-4c1e-b30a-1b130454aff8

Raw Audit Messages
type=AVC msg=audit(1630409077.752:30988077): avc: denied { fowner } for pid=1665 comm="rpc.mountd" capabi
lity=3 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability permissi
ve=0

TagsNo tags attached.
abrt_hash
URL

Activities

ManuelWolfshant

ManuelWolfshant

2021-08-31 11:45

manager   ~0038601

Can you please do a full relabel of your filesystem and test again ?
berthierp

berthierp

2021-08-31 12:23

reporter   ~0038602

Hi Manuel and thank you for your suggestion. Unfortunately the filesystem is huge and I would prefer not to relabel everything right now on that particular server. The best would be to reproduce the problem on a small test server. Meanwhile are you thinking of a specific selinux label that would be missing so that I could check?
berthierp

berthierp

2021-09-10 08:41

reporter   ~0038618

I've been looking at the network traffic when the errors occur and I only see NFS requests "getattr". At the same time in the output of "sealert -l":

type=SYSCALL msg=audit(1631262601.696:36080857): arch=x86_64 syscall=lstat success=yes exit=0 a0=7ffc7c9d80c0 a1=7ffc7c9d7df0 a2=7ffc7c9d7df0 a3=2 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rpc.mountd exe=/usr/sbin/rpc.mountd subj=system_u:system_r:nfsd_t:s0 key=(null)

So it seems the NFS client wants to list the attributes of a file and on the server selinux prevents the NFS server to change the attributes.... how can that be?

Issue History

Date Modified Username Field Change
2021-08-31 11:30 berthierp New Issue
2021-08-31 11:45 ManuelWolfshant Note Added: 0038601
2021-08-31 12:23 berthierp Note Added: 0038602
2021-09-10 08:41 berthierp Note Added: 0038618