On Fri, 2010-07-16 at 21:30 +0200, Karl-Johan Karlsson wrote:
> Hello,
>
> I'm trying to get SELinux running on my general home server. Up until now
> following Gentoo's SELinux guide been going pretty well, and what problems
> I've had I've solved and filed patches for in Bugzilla, but now I've hit a
> problem I can't find a solution for: it seems the NFS server is running as
> the wrong type.
[...]
> Sure enough, the nfsd kernel thread is running as kernel_t:
>
> # ps -A -o context,pid,user,command | grep [n]fs
> system_u:system_r:kernel_t 556 root [nfsiod]
> system_u:system_r:nfsd_t 28617 root /usr/sbin/rpc.mountd -p 2050
> system_u:system_r:kernel_t 28622 root [nfsd]
> system_u:system_r:kernel_t 28623 root [nfsd]
This is expected behavior. All kernel threads are kernel_t, so the
kernel nfsd is also kernel_t.
> even though the binary that starts it is labeled as nfsd_exec_t, just like
> rpc.mountd, which runs as the correct type:
>
> # ls -Z --format=single-column /usr/sbin/rpc.*
> system_u:object_r:nfsd_exec_t /usr/sbin/rpc.mountd
> system_u:object_r:nfsd_exec_t /usr/sbin/rpc.nfsd
rpc.nfsd is only a userspace helper component. The real server is the
kernel thread. From the rpc.nfsd man page:
"The rpc.nfsd program implements the user level part of the NFS service.
The main functionality is handled by the nfsd kernel module. The
userspace program merely specifies what sort of sockets the kernel
service should listen on, what NFS versions it should support, and how
many kernel threads it should use."
> and there are standard rules in place which would allow these accesses if
> they
> were done as nfsd_t:
>
> # sesearch --allow -s nfsd_t -t user_home_t
> Found 11 semantic av rules:
> allow nfsd_t file_type : filesystem getattr ;
> allow nfsd_t file_type : dir { ioctl read getattr lock search open } ;
> allow nfsd_t file_type : sock_file getattr ;
> allow nfsd_t file_type : fifo_file getattr ;
> allow nfsd_t user_home_t : file { ioctl read getattr lock open } ;
> allow nfsd_t user_home_t : file { ioctl read write create getattr
> setattr lock append unlink link rename open } ;
> allow nfsd_t user_home_t : dir { ioctl read getattr lock search open } ;
> allow nfsd_t user_home_t : dir { ioctl read write create getattr
> setattr
> lock unlink link rename add_name remove_name reparent search rmdir open } ;
> allow nfsd_t user_home_t : lnk_file { read create getattr setattr
> unlink
> link rename } ;
> allow nfsd_t user_home_t : sock_file { ioctl read write create getattr
> setattr lock append unlink link rename open } ;
> allow nfsd_t user_home_t : fifo_file { ioctl read write create getattr
> setattr lock append unlink link rename open } ;
I believe these are leftover from the times that people had the nfsd
completely in userspace (no kernel nfsd).
> Is there a way to get the kernel nfsd thread to run as nfsd_t instead of
> kernel_t?
No. You would have to run a completely userspace nfsd; I don't know if
that is even supported anymore. The performance penalty would probably
be prohibitive too.
--
Chris PeBenito
<[email protected]>
Developer,
Hardened Gentoo Linux
