Backport bug fix to RHEL 6.2 z-stream

Solution Verified - Updated -

Issue

We are experiencing an issue with mounting an NFS share exported from a RHEL 6.2 host. A similar share exported from a RHEL 6.1 host works fine.

Our RHEL 6.1 host has selinux-policy-3.7.19-93.el6_1.7.noarch installed.

Our RHEL 6.2 host has selinux-policy-3.7.19-126.el6_2.10.noarch installed.

On both hosts, /etc/exports contains:

/srv/provisioning *(ro,no_root_squash)

and /srv/provisioning is a symlink to /srv/vol/data01/provisioning.

Mounting the real directory, /srv/vol/data01/provisioning, is successful on both hosts. But mounting the /srv/provisioning symlink is successful only on the RHEL 6.1 host. It fails on the RHEL 6.2 host. The client reports:

mount: uxadmksl01:/srv/provisioning failed, reason given by server: Permission denied

The server logs this in /var/log/messages:

Sep 7 10:08:53 uxadmksl01 rpc.mountd[31279]: refused mount request from 192.168.1.188 for /srv/provisioning (/): no export entry

and this in /var/log/audit/audit.log:

type=AVC msg=audit(1347030533.563:238190): avc: denied { getattr } for pid=31279 comm="rpc.mountd" path="/srv/provisioning" dev=sda1 ino=1587111 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file

The SELinux booleans nfs_export_all_ro and nfs_export_all_rw are set to true on the RHEL 6.1 host. I believe this is why mounting the symlink works correctly. When I set the booleans to false, the mount no longer works, failing with the same symptoms as on the RHEL 6.2 host. On the RHEL 6.2 host however, the booleans don't even exist.

[root@uxadmksl01 ~]# getsebool nfs_export_all_ro
Error getting active value for nfs_export_all_ro
[root@uxadmksl01 ~]# getsebool nfs_export_all_rw
Error getting active value for nfs_export_all_rw

According to the selinux-policy changelog, the booleans were removed in 3.7.19-137:

  • Thu Feb 16 2012 Miroslav Grepl mgrepl@redhat.com 3.7.19-137
    • Remove nfs_* booleans because nfs runs in kernel_t domain
      Resolves:#760405

and the resulting bug was fixed in 3.7.19-150:

  • Wed May 09 2012 Miroslav Grepl mgrepl@redhat.com 3.7.19-150
    • Allow rpc.mountd to read all files/dirs

I upgraded selinux-policy to the latest selinux-policy in the rhel-x86_64-server-6 channel, selinux-policy-3.7.19-155.el6_3.noarch, and that resolved the issue.

But we use the 6.2 z-stream channel, rhel-x86_64-server-6.2.z. It seems the first change was backported to the latest selinux-policy in rhel-x86_64-server-6.2.z, selinux-policy-3.7.19-126.el6_2.10.noarch, but the second change was not.

How can we get the second change backported to the 6.2 z-stream? Also, more generally, do bugfixes automatically get backported to the z-streams or do we have to request that you do so?

Environment

Red Hat Enterprise Linux

6.2

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.