Backport bug fix to RHEL 6.2 z-stream
Issue
We are experiencing an issue with mounting an NFS share exported from a RHEL 6.2 host. A similar share exported from a RHEL 6.1 host works fine.
Our RHEL 6.1 host has selinux-policy-3.7.19-93.el6_1.7.noarch installed.
Our RHEL 6.2 host has selinux-policy-3.7.19-126.el6_2.10.noarch installed.
On both hosts, /etc/exports contains:
/srv/provisioning *(ro,no_root_squash)
and /srv/provisioning is a symlink to /srv/vol/data01/provisioning.
Mounting the real directory, /srv/vol/data01/provisioning, is successful on both hosts. But mounting the /srv/provisioning symlink is successful only on the RHEL 6.1 host. It fails on the RHEL 6.2 host. The client reports:
mount: uxadmksl01:/srv/provisioning failed, reason given by server: Permission denied
The server logs this in /var/log/messages:
Sep 7 10:08:53 uxadmksl01 rpc.mountd[31279]: refused mount request from 192.168.1.188 for /srv/provisioning (/): no export entry
and this in /var/log/audit/audit.log:
type=AVC msg=audit(1347030533.563:238190): avc: denied { getattr } for pid=31279 comm="rpc.mountd" path="/srv/provisioning" dev=sda1 ino=1587111 scontext=unconfined_u:system_r:nfsd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
The SELinux booleans nfs_export_all_ro and nfs_export_all_rw are set to true on the RHEL 6.1 host. I believe this is why mounting the symlink works correctly. When I set the booleans to false, the mount no longer works, failing with the same symptoms as on the RHEL 6.2 host. On the RHEL 6.2 host however, the booleans don't even exist.
[root@uxadmksl01 ~]# getsebool nfs_export_all_ro
Error getting active value for nfs_export_all_ro
[root@uxadmksl01 ~]# getsebool nfs_export_all_rw
Error getting active value for nfs_export_all_rw
According to the selinux-policy changelog, the booleans were removed in 3.7.19-137:
- Thu Feb 16 2012 Miroslav Grepl mgrepl@redhat.com 3.7.19-137
- Remove nfs_* booleans because nfs runs in kernel_t domain
Resolves:#760405
- Remove nfs_* booleans because nfs runs in kernel_t domain
and the resulting bug was fixed in 3.7.19-150:
- Wed May 09 2012 Miroslav Grepl mgrepl@redhat.com 3.7.19-150
- Allow rpc.mountd to read all files/dirs
I upgraded selinux-policy to the latest selinux-policy in the rhel-x86_64-server-6 channel, selinux-policy-3.7.19-155.el6_3.noarch, and that resolved the issue.
But we use the 6.2 z-stream channel, rhel-x86_64-server-6.2.z. It seems the first change was backported to the latest selinux-policy in rhel-x86_64-server-6.2.z, selinux-policy-3.7.19-126.el6_2.10.noarch, but the second change was not.
How can we get the second change backported to the 6.2 z-stream? Also, more generally, do bugfixes automatically get backported to the z-streams or do we have to request that you do so?
Environment
Red Hat Enterprise Linux
6.2
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
