Daniel J Walsh writes:
Ok what version of policy are you running.
selinux-policy-targeted-1.27.1-2.6 selinux-policy-targeted-sources-1.27.1-2.6
Running this through audit2why says that it should be allowed?
I hadn't discovered audit2why before! Handy!
When I try it, it says
freddi$ audit2why < ntfs-audit type=AVC msg=audit(1130008471.475:403): avc: denied { getattr } for pid=9034 comm="exportfs" name="/" dev=sda1 ino=5 scontext=root:system_r:nfsd_t tcontext=system_u:object_r:dosfs_t tclass=dir Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input.
Running audit2allow (of course) gives "allow nfsd_t dosfs_t:dir getattr". So I tried
grep 'nfsd_t.*dosfs_t.*getattr' /etc/selinux/targeted/src/policy/policy.conf
and it gave me nothing.