Exporting NTFS filesystems over NFS
Daniel J Walsh
dwalsh at redhat.com
Tue Oct 25 20:29:39 UTC 2005
Göran Uddeborg wrote:
> Daniel J Walsh writes:
>
>> Ok what version of policy are you running.
>>
>
> selinux-policy-targeted-1.27.1-2.6
> selinux-policy-targeted-sources-1.27.1-2.6
>
>
>> Running this through audit2why says that it should be allowed?
>>
>
> I hadn't discovered audit2why before! Handy!
>
> When I try it, it says
>
> freddi$ audit2why < ntfs-audit
> type=AVC msg=audit(1130008471.475:403): avc: denied { getattr } for pid=9034 comm="exportfs" name="/" dev=sda1 ino=5 scontext=root:system_r:nfsd_t tcontext=system_u:object_r:dosfs_t tclass=dir
> Was caused by:
> Missing or disabled TE allow rule.
> Allow rules may exist but be disabled by boolean settings; check boolean settings.
> You can see the necessary allow rules by running audit2allow with this audit message as input.
>
> Running audit2allow (of course) gives "allow nfsd_t dosfs_t:dir getattr".
> So I tried
>
> grep 'nfsd_t.*dosfs_t.*getattr' /etc/selinux/targeted/src/policy/policy.conf
>
> and it gave me nothing.
>
It is getting it via an attribute of dosfs_t
On policy-1.27.1-2.10 I get ...
grep nfs.*noexattr policy.conf
allow nfsd_t { noexattrfile file_type -shadow_t }:dir { read getattr
lock search ioctl };
allow nfsd_t { noexattrfile file_type -shadow_t }:dir { read getattr
lock search ioctl };
grep dosfs.*noexattr policy.conf
type dosfs_t, fs_type, noexattrfile, sysadmfile;
--
More information about the fedora-selinux-list
mailing list