Exporting NTFS filesystems over NFS

Daniel J Walsh dwalsh at redhat.com
Tue Oct 25 20:29:39 UTC 2005


Göran Uddeborg wrote:
> Daniel J Walsh writes:
>   
>> Ok what version of policy are you running.
>>     
>
> selinux-policy-targeted-1.27.1-2.6
> selinux-policy-targeted-sources-1.27.1-2.6
>
>   
>> Running this through audit2why says that it should be allowed?
>>     
>
> I hadn't discovered audit2why before!  Handy!
>
> When I try it, it says
>
>     freddi$ audit2why < ntfs-audit 
>     type=AVC msg=audit(1130008471.475:403): avc:  denied  { getattr } for  pid=9034 comm="exportfs" name="/" dev=sda1 ino=5 scontext=root:system_r:nfsd_t tcontext=system_u:object_r:dosfs_t tclass=dir
> 	    Was caused by:
> 		    Missing or disabled TE allow rule.
> 		    Allow rules may exist but be disabled by boolean settings; check boolean settings.
> 		    You can see the necessary allow rules by running audit2allow with this audit message as input.
>
> Running audit2allow (of course) gives "allow nfsd_t dosfs_t:dir getattr".
> So I tried
>
>     grep 'nfsd_t.*dosfs_t.*getattr' /etc/selinux/targeted/src/policy/policy.conf
>
> and it gave me nothing.
>   
It is getting it via an attribute of dosfs_t

On policy-1.27.1-2.10 I get ...
grep nfs.*noexattr policy.conf
allow nfsd_t { noexattrfile file_type -shadow_t }:dir { read getattr 
lock search ioctl };
allow nfsd_t { noexattrfile file_type -shadow_t }:dir { read getattr 
lock search ioctl };
grep dosfs.*noexattr policy.conf
type dosfs_t, fs_type, noexattrfile, sysadmfile;


-- 





More information about the fedora-selinux-list mailing list