Re: 2.6.18-rc4-mm1
From: David Howells
Date: Wed Aug 16 2006 - 05:31:53 EST
Andrew Morton <akpm@xxxxxxxx> wrote:
> > > SELinux: initialized (dev 0:15, type nfs), uses genfs_contexts
> >
> > I wonder if this is something to do with it.
>
> `echo 0 > /selinux/enforce' "fixes" it.
Aha!!!!
[root@andromeda ~]# ls -l /net/trash
total 87
drwxr-xr-x 2 root root 3072 Aug 10 04:10 bin/
drwxr-xr-x 2 root root 1024 Aug 1 16:13 boot/
drwxr-xr-x 2 root root 1024 Aug 1 16:13 dev/
drwxr-xr-x 133 root root 10240 Aug 16 10:01 etc/
drwxr-xr-x 2 root root 1024 Jul 12 09:48 home/
drwxr-xr-x 12 root root 7168 Aug 10 04:10 lib/
drwxrwsr-x 2 root cambridge 1024 Aug 1 20:41 local/
drwx------ 2 root root 12288 Aug 1 16:12 lost+found/
drwxr-xr-x 2 root root 1024 Jul 12 09:48 media/
drwxr-xr-x 2 root root 1024 Jul 24 14:17 misc/
dr-xr-xr-x 2 root root 1024 Aug 3 09:35 net/
dr-xr-xr-x 2 root root 1024 Aug 9 16:27 netopt/
?--------- ? ? ? ? ? /net/trash/mnt
?--------- ? ? ? ? ? /net/trash/usr
drwxr-xr-x 2 root root 1024 Jul 12 09:48 opt/
drwxr-xr-x 2 root root 1024 Aug 1 16:13 proc/
dr-xr-xr-x 2 root root 1024 Aug 3 09:26 project/
drwxr-x--- 4 root root 1024 Aug 16 09:59 root/
drwxr-xr-x 2 root root 11264 Aug 10 04:10 sbin/
drwxr-xr-x 2 root root 1024 Aug 1 16:13 selinux/
drwxr-xr-x 2 root root 1024 Jul 12 09:48 srv/
drwxr-xr-x 2 root root 1024 Aug 1 16:13 sys/
drwxr-xr-x 3 root root 1024 Aug 1 20:27 tftpboot/
drwxrwxrwt 4 root root 3072 Aug 16 09:46 tmp/
drwxr-xr-x 29 root root 1024 Aug 1 19:56 var/
drwxr-xr-x 2 root root 1024 Aug 9 11:35 warthog/
Look familiar?
Requires: autofs4, nfs and SELinux in enforcing mode.
Check your audit logs. I knew auditing had to be good for something...
| pid 3500: autofs4_lookup: name = trash
| pid 3500: autofs4_lookup: pid = 3500, pgrp = 3500, catatonic = 0, oz_mode = 0
| pid 3500: try_to_fill_dentry: dentry=c0887354 trash ino=00000000
| pid 3500: try_to_fill_dentry: waiting for mount name=trash
| pid 3500: autofs4_wait: new wait id = 0x00000003, name = trash, nfy=1
|
| pid 3500: autofs4_notify_daemon: wait id = 0x00000003, name = trash, type=0
| audit(1155719601.431:214): avc: denied { read } for pid=3503 comm="showmount" name="cambridge-temp.redhat.com.2" dev=hda2 ino=688243 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file
| audit(1155719601.483:215): avc: denied { name_bind } for pid=3503 comm="showmount" src=712 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=udp_socket
| audit(1155719601.543:216): avc: denied { read } for pid=3501 comm="automount" name="cambridge-temp.redhat.com.2" dev=hda2 ino=688243 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file
| audit(1155719601.567:217): avc: denied { name_bind } for pid=3501 comm="automount" src=710 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=udp_socket
| pid 3501: autofs4_dir_mkdir: dentry c0887354, creating trash
| audit(1155719601.627:218): avc: denied { read } for pid=3507 comm="mount" name="cambridge-temp.redhat.com.2" dev=hda2 ino=688243 scontext=root:system_r:mount_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file
Autofs magic up to this point.
| --> nfs_init_server()
| --> nfs_get_client(trash,172.16.18.103:264,3)
| --> nfs_get_client() = c0703800 [new]
| SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
| <-- nfs_init_server() = 0 [new c0703800]
That created and initialised an NFS common client and FSID-specific client
struct (struct nfs_server).
| --> nfs_probe_fsinfo()
| <-- nfs_probe_fsinfo() = 0
| Server FSID: 303:0
Determine the FSID.
| NFS: nfs_fhget(0:18/0 ct=1)
Get the dummy root (s_root).
| NFS: nfs_fhget(0:18/2 ct=1)
Get the actual root (inode 2).
| SELinux: initialized (dev 0:18, type nfs), uses genfs_contexts
And that's the NFS superblock set up.
| pid 3507: autofs4_dentry_release: releasing c0c13514
| pid 3507: autofs4_lookup: name = trash:
| pid 3507: autofs4_lookup: pid = 3507, pgrp = 3207, catatonic = 0, oz_mode = 1
| audit(1155719601.775:219): avc: denied { read } for pid=3501 comm="automount" name="cambridge-temp.redhat.com.2" dev=hda2 ino=688243 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file
| audit(1155719601.799:220): avc: denied { name_bind } for pid=3501 comm="automount" src=713 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=udp_socket
| NFS: nfs_update_inode(0:18/2 ct=1 info=0x6)
| NFS: permission(0:18/2), mask=0x1, res=0
Looks reasonable up to here.
| NFS: permission(0:18/2), mask=0x1, res=0
| NFS: lookup(/usr)
| NFS: permission(0:18/2), mask=0x3, res=0
| audit(1155719601.839:221): avc: denied { write } for pid=3501 comm="automount" name="" dev=0:18 ino=2 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
| NFS: dentry_delete(/usr, 0)
| audit(1155719601.867:222): avc: denied { read } for pid=3501 comm="automount" name="cambridge-temp.redhat.com.2" dev=hda2 ino=688243 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file
| audit(1155719601.891:223): avc: denied { name_bind } for pid=3501 comm="automount" src=715 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=udp_socket
It seems that the automounter is attempting to do things to /usr.
| NFS: permission(0:18/2), mask=0x1, res=0
| NFS: permission(0:18/2), mask=0x1, res=0
| NFS: lookup(/mnt)
| NFS: permission(0:18/2), mask=0x3, res=0
| audit(1155719601.927:224): avc: denied { write } for pid=3501 comm="automount" name="" dev=0:18 ino=2 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
| NFS: dentry_delete(/mnt, 0)
And /mnt.
| pid 3207: autofs4_root_ioctl: cmd = 0x00009360, arg = 0x00000003, sbi = c54beaa0, pgrp = 3207
| pid 3500: try_to_fill_dentry: mount done status=0
| NFS: nfs_update_inode(0:18/2 ct=1 info=0x6)
| NFS: permission(0:18/2), mask=0x4, res=0
| NFS: opendir(0:18/2)
| NFS: readdir(/) starting at cookie 0
| NFS: nfs_update_inode(0:18/2 ct=1 info=0x6)
| NFS: nfs_fhget(0:18/2502657 ct=1)
| NFS: dentry_delete(/local, 0)
| NFS: nfs_fhget(0:18/10770433 ct=1)
| NFS: dentry_delete(/srv, 0)
| NFS: nfs_fhget(0:18/11 ct=1)
| NFS: dentry_delete(/lost+found, 0)
| NFS: nfs_fhget(0:18/10317825 ct=1)
| NFS: dentry_delete(/tmp, 0)
| NFS: nfs_fhget(0:18/2541569 ct=1)
| NFS: dentry_delete(/bin, 0)
| NFS: nfs_fhget(0:18/7063553 ct=1)
| NFS: dentry_delete(/media, 0)
| NFS: nfs_fhget(0:18/2594817 ct=1)
| NFS: dentry_delete(/lib, 0)
| NFS: nfs_fhget(0:18/10704897 ct=1)
| NFS: dentry_delete(/var, 0)
| NFS: dentry_delete(/usr, 8)
| NFS: dentry_delete(/mnt, 8)
And then it proceeds as normal, barring the fack that the dentried for
trash:/usr and trash:/mnt already exist.
Putting SELinux into permissive mode, I see:
: pid 3376: autofs4_lookup: name = trash
: pid 3376: autofs4_lookup: pid = 3376, pgrp = 3376, catatonic = 0, oz_mode = 0
: pid 3376: try_to_fill_dentry: dentry=c56874b4 trash ino=00000000
: pid 3376: try_to_fill_dentry: waiting for mount name=trash
: pid 3376: autofs4_wait: new wait id = 0x00000001, name = trash, nfy=1
:
: pid 3376: autofs4_notify_daemon: wait id = 0x00000001, name = trash, type=0
: pid 3377: autofs4_dir_mkdir: dentry c56874b4, creating trash
: audit(1155719382.989:183): avc: denied { read } for pid=3383 comm="mount" name="cambridge-temp.redhat.com.2" dev=hda2 ino=688243 scontext=root:system_r:mount_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file
: --> nfs_init_server()
: --> nfs_get_client(trash,172.16.18.103:264,3)
: --> nfs_get_client() = c752e000 [new]
: SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
: <-- nfs_init_server() = 0 [new c752e000]
: --> nfs_probe_fsinfo()
: <-- nfs_probe_fsinfo() = 0
: Server FSID: 303:0
: NFS: nfs_fhget(0:18/0 ct=1)
: NFS: nfs_fhget(0:18/2 ct=1)
: SELinux: initialized (dev 0:18, type nfs), uses genfs_contexts
: pid 3383: autofs4_lookup: name = trash:
: pid 3383: autofs4_lookup: pid = 3383, pgrp = 3207, catatonic = 0, oz_mode = 1
: NFS: nfs_update_inode(0:18/2 ct=1 info=0x6)
: NFS: permission(0:18/2), mask=0x1, res=0
Looks okay up to here.
: NFS: permission(0:18/2), mask=0x1, res=0
: NFS: lookup(/usr)
: NFS: permission(0:18/2), mask=0x3, res=0
: audit(1155719383.149:184): avc: denied { write } for pid=3377 comm="automount" name="" dev=0:18 ino=2 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
: audit(1155719383.165:185): avc: denied { add_name } for pid=3377 comm="automount" name="usr" scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
: audit(1155719383.181:186): avc: denied { create } for pid=3377 comm="automount" name="usr" scontext=root:system_r:automount_t:s0 tcontext=root:object_r:nfs_t:s0 tclass=dir
: NFS: mkdir(0:18/2), usr
What is going on here?????????????????????????????????????????????????????
stracing the automount daemon, I see:
[pid 3803] mkdir("/net", 0555) = -1 EEXIST (File exists)
[pid 3803] stat64("/net", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid 3803] mkdir("/net/trash", 0555) = -1 EEXIST (File exists)
[pid 3803] stat64("/net/trash", {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0
[pid 3803] mkdir("/net/trash/usr", 0555) = -1 EACCES (Permission denied)
I think that would be the problem. Ian?
David
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/