In a kind of a déja vu (https://www.redhat.com/archives/fedora-selinux-list/2005-October/msg00101.html) I am no longer able to mount NTFS filesystems over NFS. I include the audit messages below. If I understand things correctly, the catch is that nfsd_t domain processes are not allowed to do getattr on a directories of the dosfs_t. Last time, under FC4, my problem was that the policy had not been properly reloaded on upgrades. The policy did actually allow the operation. But I do not understand how this could work now. The dosfs_t has attribute noxattrfs just like in the FC4 policy. But I can not find anything allowing nfsd_t to do getattr on noxattrfs. Looking at the code, my impression is that there ought to be "fs_list_noxattr_fs(nfsd_t)" delcarations in the nfs_export_all_rw/ro clauses in rpc.te. That would allow nfsd_t to access directories on noxattr filesystems. As it is now it is allowed to read FILES there (through "fs_read_noxattr_fs_files(nfsd_t)"), but not do anything with directories. (Except "search", so it can get to the files.) And that is apparently not enough. Am I just confused, or is there indeed a bug here? type=AVC msg=audit(1145364546.934:3950): avc: denied { getattr } for pid=14600 comm="rpc.mountd" name="/" dev=sda1 ino=5 scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir type=SYSCALL msg=audit(1145364546.934:3950): arch=40000003 syscall=195 success=no exit=-13 a0=56570dd1 a1=ffffcb7c a2=f7fa6ff4 a3=ffffcb7c items=1 pid=14600 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" type=AVC_PATH msg=audit(1145364546.934:3950): path="/mnt/remote/teddi" type=CWD msg=audit(1145364546.934:3950): cwd="/var/lib/nfs" type=PATH msg=audit(1145364546.934:3950): item=0 name="/mnt/remote/teddi" flags=1 inode=5 dev=08:01 mode=040555 ouid=0 ogid=0 rdev=00:00 -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
