Göran Uddeborg wrote:
Daniel J Walsh writes:
Ok what version of policy are you running.
selinux-policy-targeted-1.27.1-2.6
selinux-policy-targeted-sources-1.27.1-2.6
Running this through audit2why says that it should be allowed?
I hadn't discovered audit2why before! Handy!
When I try it, it says
freddi$ audit2why < ntfs-audit
type=AVC msg=audit(1130008471.475:403): avc: denied { getattr } for pid=9034 comm="exportfs" name="/" dev=sda1 ino=5 scontext=root:system_r:nfsd_t tcontext=system_u:object_r:dosfs_t tclass=dir
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean settings; check boolean settings.
You can see the necessary allow rules by running audit2allow with this audit message as input.
Running audit2allow (of course) gives "allow nfsd_t dosfs_t:dir getattr".
So I tried
grep 'nfsd_t.*dosfs_t.*getattr' /etc/selinux/targeted/src/policy/policy.conf
and it gave me nothing.
It is getting it via an attribute of dosfs_t
On policy-1.27.1-2.10 I get ...
grep nfs.*noexattr policy.conf
allow nfsd_t { noexattrfile file_type -shadow_t }:dir { read getattr
lock search ioctl };
allow nfsd_t { noexattrfile file_type -shadow_t }:dir { read getattr
lock search ioctl };
grep dosfs.*noexattr policy.conf
type dosfs_t, fs_type, noexattrfile, sysadmfile;
--
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
