Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751063AbWHPJe1 (ORCPT ); Wed, 16 Aug 2006 05:34:27 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751064AbWHPJe1 (ORCPT ); Wed, 16 Aug 2006 05:34:27 -0400 Received: from mx1.redhat.com ([66.187.233.31]:52702 "EHLO mx1.redhat.com") by vger.kernel.org with ESMTP id S1751062AbWHPJe0 (ORCPT ); Wed, 16 Aug 2006 05:34:26 -0400 From: David Howells In-Reply-To: <20060815114912.d8fa1512.akpm@osdl.org> References: <20060815114912.d8fa1512.akpm@osdl.org> <20060815104813.7e3a0f98.akpm@osdl.org> <20060815065035.648be867.akpm@osdl.org> <20060814143110.f62bfb01.akpm@osdl.org> <20060813133935.b0c728ec.akpm@osdl.org> <20060813012454.f1d52189.akpm@osdl.org> <10791.1155580339@warthog.cambridge.redhat.com> <918.1155635513@warthog.cambridge.redhat.com> <29717.1155662998@warthog.cambridge.redhat.com> <6241.1155666920@warthog.cambridge.redhat.com> To: Andrew Morton Cc: David Howells , linux-kernel@vger.kernel.org, Trond Myklebust , Ian Kent Subject: Re: 2.6.18-rc4-mm1 X-Mailer: MH-E 8.0; nmh 1.1; GNU Emacs 22.0.50 Date: Wed, 16 Aug 2006 10:34:12 +0100 Message-ID: <29660.1155720852@warthog.cambridge.redhat.com> Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 9958 Lines: 201 Andrew Morton wrote: > > > SELinux: initialized (dev 0:15, type nfs), uses genfs_contexts > > > > I wonder if this is something to do with it. > > `echo 0 > /selinux/enforce' "fixes" it. Aha!!!! [root@andromeda ~]# ls -l /net/trash total 87 drwxr-xr-x 2 root root 3072 Aug 10 04:10 bin/ drwxr-xr-x 2 root root 1024 Aug 1 16:13 boot/ drwxr-xr-x 2 root root 1024 Aug 1 16:13 dev/ drwxr-xr-x 133 root root 10240 Aug 16 10:01 etc/ drwxr-xr-x 2 root root 1024 Jul 12 09:48 home/ drwxr-xr-x 12 root root 7168 Aug 10 04:10 lib/ drwxrwsr-x 2 root cambridge 1024 Aug 1 20:41 local/ drwx------ 2 root root 12288 Aug 1 16:12 lost+found/ drwxr-xr-x 2 root root 1024 Jul 12 09:48 media/ drwxr-xr-x 2 root root 1024 Jul 24 14:17 misc/ dr-xr-xr-x 2 root root 1024 Aug 3 09:35 net/ dr-xr-xr-x 2 root root 1024 Aug 9 16:27 netopt/ ?--------- ? ? ? ? ? /net/trash/mnt ?--------- ? ? ? ? ? /net/trash/usr drwxr-xr-x 2 root root 1024 Jul 12 09:48 opt/ drwxr-xr-x 2 root root 1024 Aug 1 16:13 proc/ dr-xr-xr-x 2 root root 1024 Aug 3 09:26 project/ drwxr-x--- 4 root root 1024 Aug 16 09:59 root/ drwxr-xr-x 2 root root 11264 Aug 10 04:10 sbin/ drwxr-xr-x 2 root root 1024 Aug 1 16:13 selinux/ drwxr-xr-x 2 root root 1024 Jul 12 09:48 srv/ drwxr-xr-x 2 root root 1024 Aug 1 16:13 sys/ drwxr-xr-x 3 root root 1024 Aug 1 20:27 tftpboot/ drwxrwxrwt 4 root root 3072 Aug 16 09:46 tmp/ drwxr-xr-x 29 root root 1024 Aug 1 19:56 var/ drwxr-xr-x 2 root root 1024 Aug 9 11:35 warthog/ Look familiar? Requires: autofs4, nfs and SELinux in enforcing mode. Check your audit logs. I knew auditing had to be good for something... | pid 3500: autofs4_lookup: name = trash | pid 3500: autofs4_lookup: pid = 3500, pgrp = 3500, catatonic = 0, oz_mode = 0 | pid 3500: try_to_fill_dentry: dentry=c0887354 trash ino=00000000 | pid 3500: try_to_fill_dentry: waiting for mount name=trash | pid 3500: autofs4_wait: new wait id = 0x00000003, name = trash, nfy=1 | | pid 3500: autofs4_notify_daemon: wait id = 0x00000003, name = trash, type=0 | audit(1155719601.431:214): avc: denied { read } for pid=3503 comm="showmount" name="cambridge-temp.redhat.com.2" dev=hda2 ino=688243 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file | audit(1155719601.483:215): avc: denied { name_bind } for pid=3503 comm="showmount" src=712 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=udp_socket | audit(1155719601.543:216): avc: denied { read } for pid=3501 comm="automount" name="cambridge-temp.redhat.com.2" dev=hda2 ino=688243 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file | audit(1155719601.567:217): avc: denied { name_bind } for pid=3501 comm="automount" src=710 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=udp_socket | pid 3501: autofs4_dir_mkdir: dentry c0887354, creating trash | audit(1155719601.627:218): avc: denied { read } for pid=3507 comm="mount" name="cambridge-temp.redhat.com.2" dev=hda2 ino=688243 scontext=root:system_r:mount_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file Autofs magic up to this point. | --> nfs_init_server() | --> nfs_get_client(trash,172.16.18.103:264,3) | --> nfs_get_client() = c0703800 [new] | SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts | <-- nfs_init_server() = 0 [new c0703800] That created and initialised an NFS common client and FSID-specific client struct (struct nfs_server). | --> nfs_probe_fsinfo() | <-- nfs_probe_fsinfo() = 0 | Server FSID: 303:0 Determine the FSID. | NFS: nfs_fhget(0:18/0 ct=1) Get the dummy root (s_root). | NFS: nfs_fhget(0:18/2 ct=1) Get the actual root (inode 2). | SELinux: initialized (dev 0:18, type nfs), uses genfs_contexts And that's the NFS superblock set up. | pid 3507: autofs4_dentry_release: releasing c0c13514 | pid 3507: autofs4_lookup: name = trash: | pid 3507: autofs4_lookup: pid = 3507, pgrp = 3207, catatonic = 0, oz_mode = 1 | audit(1155719601.775:219): avc: denied { read } for pid=3501 comm="automount" name="cambridge-temp.redhat.com.2" dev=hda2 ino=688243 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file | audit(1155719601.799:220): avc: denied { name_bind } for pid=3501 comm="automount" src=713 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=udp_socket | NFS: nfs_update_inode(0:18/2 ct=1 info=0x6) | NFS: permission(0:18/2), mask=0x1, res=0 Looks reasonable up to here. | NFS: permission(0:18/2), mask=0x1, res=0 | NFS: lookup(/usr) | NFS: permission(0:18/2), mask=0x3, res=0 | audit(1155719601.839:221): avc: denied { write } for pid=3501 comm="automount" name="" dev=0:18 ino=2 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir | NFS: dentry_delete(/usr, 0) | audit(1155719601.867:222): avc: denied { read } for pid=3501 comm="automount" name="cambridge-temp.redhat.com.2" dev=hda2 ino=688243 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file | audit(1155719601.891:223): avc: denied { name_bind } for pid=3501 comm="automount" src=715 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=udp_socket It seems that the automounter is attempting to do things to /usr. | NFS: permission(0:18/2), mask=0x1, res=0 | NFS: permission(0:18/2), mask=0x1, res=0 | NFS: lookup(/mnt) | NFS: permission(0:18/2), mask=0x3, res=0 | audit(1155719601.927:224): avc: denied { write } for pid=3501 comm="automount" name="" dev=0:18 ino=2 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir | NFS: dentry_delete(/mnt, 0) And /mnt. | pid 3207: autofs4_root_ioctl: cmd = 0x00009360, arg = 0x00000003, sbi = c54beaa0, pgrp = 3207 | pid 3500: try_to_fill_dentry: mount done status=0 | NFS: nfs_update_inode(0:18/2 ct=1 info=0x6) | NFS: permission(0:18/2), mask=0x4, res=0 | NFS: opendir(0:18/2) | NFS: readdir(/) starting at cookie 0 | NFS: nfs_update_inode(0:18/2 ct=1 info=0x6) | NFS: nfs_fhget(0:18/2502657 ct=1) | NFS: dentry_delete(/local, 0) | NFS: nfs_fhget(0:18/10770433 ct=1) | NFS: dentry_delete(/srv, 0) | NFS: nfs_fhget(0:18/11 ct=1) | NFS: dentry_delete(/lost+found, 0) | NFS: nfs_fhget(0:18/10317825 ct=1) | NFS: dentry_delete(/tmp, 0) | NFS: nfs_fhget(0:18/2541569 ct=1) | NFS: dentry_delete(/bin, 0) | NFS: nfs_fhget(0:18/7063553 ct=1) | NFS: dentry_delete(/media, 0) | NFS: nfs_fhget(0:18/2594817 ct=1) | NFS: dentry_delete(/lib, 0) | NFS: nfs_fhget(0:18/10704897 ct=1) | NFS: dentry_delete(/var, 0) | NFS: dentry_delete(/usr, 8) | NFS: dentry_delete(/mnt, 8) And then it proceeds as normal, barring the fack that the dentried for trash:/usr and trash:/mnt already exist. Putting SELinux into permissive mode, I see: : pid 3376: autofs4_lookup: name = trash : pid 3376: autofs4_lookup: pid = 3376, pgrp = 3376, catatonic = 0, oz_mode = 0 : pid 3376: try_to_fill_dentry: dentry=c56874b4 trash ino=00000000 : pid 3376: try_to_fill_dentry: waiting for mount name=trash : pid 3376: autofs4_wait: new wait id = 0x00000001, name = trash, nfy=1 : : pid 3376: autofs4_notify_daemon: wait id = 0x00000001, name = trash, type=0 : pid 3377: autofs4_dir_mkdir: dentry c56874b4, creating trash : audit(1155719382.989:183): avc: denied { read } for pid=3383 comm="mount" name="cambridge-temp.redhat.com.2" dev=hda2 ino=688243 scontext=root:system_r:mount_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=file : --> nfs_init_server() : --> nfs_get_client(trash,172.16.18.103:264,3) : --> nfs_get_client() = c752e000 [new] : SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts : <-- nfs_init_server() = 0 [new c752e000] : --> nfs_probe_fsinfo() : <-- nfs_probe_fsinfo() = 0 : Server FSID: 303:0 : NFS: nfs_fhget(0:18/0 ct=1) : NFS: nfs_fhget(0:18/2 ct=1) : SELinux: initialized (dev 0:18, type nfs), uses genfs_contexts : pid 3383: autofs4_lookup: name = trash: : pid 3383: autofs4_lookup: pid = 3383, pgrp = 3207, catatonic = 0, oz_mode = 1 : NFS: nfs_update_inode(0:18/2 ct=1 info=0x6) : NFS: permission(0:18/2), mask=0x1, res=0 Looks okay up to here. : NFS: permission(0:18/2), mask=0x1, res=0 : NFS: lookup(/usr) : NFS: permission(0:18/2), mask=0x3, res=0 : audit(1155719383.149:184): avc: denied { write } for pid=3377 comm="automount" name="" dev=0:18 ino=2 scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir : audit(1155719383.165:185): avc: denied { add_name } for pid=3377 comm="automount" name="usr" scontext=root:system_r:automount_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir : audit(1155719383.181:186): avc: denied { create } for pid=3377 comm="automount" name="usr" scontext=root:system_r:automount_t:s0 tcontext=root:object_r:nfs_t:s0 tclass=dir : NFS: mkdir(0:18/2), usr What is going on here????????????????????????????????????????????????????? stracing the automount daemon, I see: [pid 3803] mkdir("/net", 0555) = -1 EEXIST (File exists) [pid 3803] stat64("/net", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0 [pid 3803] mkdir("/net/trash", 0555) = -1 EEXIST (File exists) [pid 3803] stat64("/net/trash", {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0 [pid 3803] mkdir("/net/trash/usr", 0555) = -1 EACCES (Permission denied) I think that would be the problem. Ian? David - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/