View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0018292 | CentOS-7 | nfs-utils | public | 2021-08-31 11:30 | 2021-09-10 08:41 |
Reporter | berthierp | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | new | Resolution | open | ||
Product Version | 7.9.2009 | ||||
Summary | 0018292: SELinux is preventing /usr/sbin/rpc.mountd from using the chown capability | ||||
Description | My logs get flooded with those messages below. python: SELinux is preventing /usr/sbin/rpc.mountd from using the chown capability python: SELinux is preventing rpc.mountd from using the fowner capability Detailed messages with sealert: SELinux is preventing /usr/sbin/rpc.mountd from using the chown capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rpc.mountd should have the chown capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rpc.mountd' --raw | audit2allow -M my-rpcmountd # semodule -i my-rpcmountd.pp Additional Information: Source Context system_u:system_r:nfsd_t:s0 Target Context system_u:system_r:nfsd_t:s0 Target Objects Unknown [ capability ] Source rpc.mountd Source Path /usr/sbin/rpc.mountd Port <Unknown> Host MYHOSTNAMEEDITED Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-268.el7_9.2.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name MYHOSTNAMEEDITED Platform Linux MYHOSTNAMEEDITED 3.10.0-1160.31.1.el7.x86_64 #1 SMP Thu Jun 10 13:32:12 UTC 2021 x86_64 x86_64 Alert Count 344618 First Seen 2021-05-03 09:35:04 CEST Last Seen 2021-08-31 13:25:02 CEST Local ID a40df66a-e89f-46e3-9231-7bb8d19ff37e Raw Audit Messages type=AVC msg=audit(1630409102.502:30989914): avc: denied { chown } for pid=1665 comm="rpc.mountd" capabil ity=0 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability permissiv e=0 Hash: rpc.mountd,nfsd_t,nfsd_t,capability,chown SELinux is preventing rpc.mountd from using the fowner capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rpc.mountd should have the fowner capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rpc.mountd' --raw | audit2allow -M my-rpcmountd # semodule -i my-rpcmountd.pp Additional Information: Source Context system_u:system_r:nfsd_t:s0 Target Context system_u:system_r:nfsd_t:s0 Target Objects Unknown [ capability ] Source rpc.mountd Source Path rpc.mountd Port <Unknown> Host MYHOSTNAMEEDITED Source RPM Packages nfs-utils-1.3.0-0.68.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-268.el7_9.2.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name MYHOSTNAMEEDITED Platform Linux MYHOSTNAMEEDITED 3.10.0-1160.31.1.el7.x86_64 #1 SMP Thu Jun 10 13:32:12 UTC 2021 x86_64 x86_64 Alert Count 28618 First Seen 2021-05-03 09:35:04 CEST Last Seen 2021-08-31 13:24:37 CEST Local ID 9c2f564a-e3f6-4c1e-b30a-1b130454aff8 Raw Audit Messages type=AVC msg=audit(1630409077.752:30988077): avc: denied { fowner } for pid=1665 comm="rpc.mountd" capabi lity=3 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability permissi ve=0 | ||||
Tags | No tags attached. | ||||
abrt_hash | |||||
URL | |||||
Can you please do a full relabel of your filesystem and test again ? | |
Hi Manuel and thank you for your suggestion. Unfortunately the filesystem is huge and I would prefer not to relabel everything right now on that particular server. The best would be to reproduce the problem on a small test server. Meanwhile are you thinking of a specific selinux label that would be missing so that I could check? | |
I've been looking at the network traffic when the errors occur and I only see NFS requests "getattr". At the same time in the output of "sealert -l": type=SYSCALL msg=audit(1631262601.696:36080857): arch=x86_64 syscall=lstat success=yes exit=0 a0=7ffc7c9d80c0 a1=7ffc7c9d7df0 a2=7ffc7c9d7df0 a3=2 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rpc.mountd exe=/usr/sbin/rpc.mountd subj=system_u:system_r:nfsd_t:s0 key=(null) So it seems the NFS client wants to list the attributes of a file and on the server selinux prevents the NFS server to change the attributes.... how can that be? |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2021-08-31 11:30 | berthierp | New Issue | |
2021-08-31 11:45 | ManuelWolfshant | Note Added: 0038601 | |
2021-08-31 12:23 | berthierp | Note Added: 0038602 | |
2021-09-10 08:41 | berthierp | Note Added: 0038618 |