Exporting NTFS filesystems over NFS (again)

Göran Uddeborg goeran at uddeborg.se
Tue Apr 18 21:37:35 UTC 2006

In a kind of a déja vu
I am no longer able to mount NTFS filesystems over NFS.  I include the
audit messages below.  If I understand things correctly, the catch is
that nfsd_t domain processes are not allowed to do getattr on a
directories of the dosfs_t.

Last time, under FC4, my problem was that the policy had not been
properly reloaded on upgrades.  The policy did actually allow the
operation.  But I do not understand how this could work now.  The
dosfs_t has attribute noxattrfs just like in the FC4 policy.  But I
can not find anything allowing nfsd_t to do getattr on noxattrfs.

Looking at the code, my impression is that there ought to be
"fs_list_noxattr_fs(nfsd_t)" delcarations in the nfs_export_all_rw/ro
clauses in rpc.te.  That would allow nfsd_t to access directories on
noxattr filesystems.  As it is now it is allowed to read FILES there
(through "fs_read_noxattr_fs_files(nfsd_t)"), but not do anything with
directories.  (Except "search", so it can get to the files.)  And that
is apparently not enough.

Am I just confused, or is there indeed a bug here?

type=AVC msg=audit(1145364546.934:3950): avc:  denied  { getattr } for  pid=14600 comm="rpc.mountd" name="/" dev=sda1 ino=5 scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1145364546.934:3950): arch=40000003 syscall=195 success=no exit=-13 a0=56570dd1 a1=ffffcb7c a2=f7fa6ff4 a3=ffffcb7c items=1 pid=14600 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd"
type=AVC_PATH msg=audit(1145364546.934:3950):  path="/mnt/remote/teddi"
type=CWD msg=audit(1145364546.934:3950):  cwd="/var/lib/nfs"
type=PATH msg=audit(1145364546.934:3950): item=0 name="/mnt/remote/teddi" flags=1  inode=5 dev=08:01 mode=040555 ouid=0 ogid=0 rdev=00:00

More information about the fedora-selinux-list mailing list