NFSD warning?

Arthur Dent misc.lists at blueyonder.co.uk
Thu Aug 26 09:48:47 UTC 2010 

Hello all,

Working with Dominick to solve my clamd denial problem has caused me to
use ausearch more often than I normally would.

This has revealed a large and constant amount of these messages:

----
time->Thu Aug 26 10:31:37 2010
type=SYSCALL msg=audit(1282815097.754:55608): arch=40000003 syscall=300
success=no exit=-13 a0=9 a1=243c883 a2=bf8d6de0 a3=0 items=0 ppid=1
pid=1228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd"
exe="/usr/sbin/rpc.mountd" subj=system_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(1282815097.754:55608): avc:  denied  { getattr } for
pid=1228 comm="rpc.mountd" path="/proc/kcore" dev=proc ino=4026531989
scontext=system_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
----
time->Thu Aug 26 10:31:37 2010
type=SYSCALL msg=audit(1282815097.756:55609): arch=40000003 syscall=5
success=no exit=-13 a0=243bca8 a1=8000 a2=0 a3=243bc68 items=0 ppid=1
pid=1228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="rpc.mountd"
exe="/usr/sbin/rpc.mountd" subj=system_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(1282815097.756:55609): avc:  denied  { read } for
pid=1228 comm="rpc.mountd" name="sda11" dev=devtmpfs ino=5616
scontext=system_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
----
time->Thu Aug 26 10:37:51 2010
type=AVC msg=audit(1282815471.028:55622): avc:  denied  { 0x400000 } for
pid=1223 comm="nfsd" name="" dev=sda11 ino=28365
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
----
time->Thu Aug 26 10:37:51 2010
type=AVC msg=audit(1282815471.028:55623): avc:  denied  { 0x400000 } for
pid=1221 comm="nfsd" name="" dev=sda11 ino=28365
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
----
time->Thu Aug 26 10:37:51 2010
type=AVC msg=audit(1282815471.063:55624): avc:  denied  { 0x400000 } for
pid=1221 comm="nfsd" name="" dev=sda11 ino=28365
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
----
time->Thu Aug 26 10:37:51 2010
type=AVC msg=audit(1282815471.076:55625): avc:  denied  { 0x400000 } for
pid=1223 comm="nfsd" name="" dev=sda11 ino=28365
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
----
time->Thu Aug 26 10:37:51 2010
type=AVC msg=audit(1282815471.101:55626): avc:  denied  { 0x400000 } for
pid=1223 comm="nfsd" name="" dev=sda11 ino=28365
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
----
time->Thu Aug 26 10:37:51 2010
type=AVC msg=audit(1282815471.122:55627): avc:  denied  { 0x400000 } for
pid=1223 comm="nfsd" name="" dev=sda11 ino=28365
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
----
time->Thu Aug 26 10:37:51 2010
type=AVC msg=audit(1282815471.136:55628): avc:  denied  { 0x400000 } for
pid=1223 comm="nfsd" name="" dev=sda11 ino=28365
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
----
time->Thu Aug 26 10:37:51 2010
type=AVC msg=audit(1282815471.154:55629): avc:  denied  { 0x400000 } for
pid=1223 comm="nfsd" name="" dev=sda11 ino=28365
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
----
time->Thu Aug 26 10:43:30 2010
type=AVC msg=audit(1282815810.307:55648): avc:  denied  { 0x400000 } for
pid=1223 comm="nfsd" name="" dev=sda11 ino=28365
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
----
time->Thu Aug 26 10:43:30 2010
type=AVC msg=audit(1282815810.321:55649): avc:  denied  { 0x400000 } for
pid=1223 comm="nfsd" name="" dev=sda11 ino=28365
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
----
time->Thu Aug 26 10:43:30 2010
type=AVC msg=audit(1282815810.335:55650): avc:  denied  { 0x400000 } for
pid=1223 comm="nfsd" name="" dev=sda11 ino=28365
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
----
time->Thu Aug 26 10:43:30 2010
type=AVC msg=audit(1282815810.354:55651): avc:  denied  { 0x400000 } for
pid=1223 comm="nfsd" name="" dev=sda11 ino=28365
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
----
time->Thu Aug 26 10:45:04 2010
type=SYSCALL msg=audit(1282815904.588:55656): arch=40000003 syscall=11
success=yes exit=0 a0=15559d0 a1=bf9c9f7c a2=303840 a3=41904 items=0
ppid=3571 pid=3572 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail"
exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1282815904.588:55656): avc:  denied  { noatsecure }
for  pid=3572 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282815904.588:55656): avc:  denied  { siginh } for
pid=3572 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1282815904.588:55656): avc:  denied  { rlimitinh }
for  pid=3572 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process


/dev/sda11 is a Fat32 partition mounted in /etc/fstab with the line: 
/dev/sda11		/mnt/tempstore		vfat	users,rw,uid=mark 0 2

and shared as an NFS mount on my desktop.

# cat /etc/exports 
/home/mark                     192.168.2.4(rw,async,no_subtree_check,nohide,no_root_squash)
/mnt/tempstore                 192.168.2.4(rw,async,no_subtree_check,nohide,no_root_squash)
/mnt/datastore                 192.168.2.4(rw,async,no_subtree_check,nohide,no_root_squash)
/mnt/f11                       192.168.2.4(rw,async,no_subtree_check,nohide,no_root_squash)

Are the avcs a problem and how do I stop them? Audit2allow does not
produce anything on these messages....

Thanks

Mark


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100826/8c981daf/attachment.bin

More information about the selinux mailing list