This is part 2 of a 5 part post on identifying and fixing an SELinux constraint violation. If you have not already read the previous parts, you may want to start at the beginning.

An example constraint violation issue

In the audit2allow and audit2why output examples, there is an AVC which happens to be a constraint violation issue. Here it is again:

avc:  denied  { search } for  pid=1597
comm="mount.nfs4" name="" dev=0:16 ino=2
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:nfs_t:s0:c20 tclass=dir

The run up to hitting this is not too interesting, but a little background may be relevant:

autofs is being instructed to mount a particular NFS share with mountpoint labeling. Not just basic mount point labeling, but a category restricted context. That is visible in the AVC, where the target context is "system_u:object_r:nfs_t:s0:c20".

This problem originally presented itself when a fully functional test system was patched from RHEL6.2 to RHEL6.3 and rebooted. All of a sudden autofs started returning "No such file or directory". After turning on debugging for autofs by inserting the following into /etc/sysconfig/autofs

setting OPTIONS="--verbose --debug"

and restarting the service, the logs clearly showed the problem

automount[1250]: mount_mount: mount(nfs): calling
    mkdir_path /somedir/somemount
automount[1250]: mount_mount: mount(nfs): calling mount -t nfs4 -s
    -o port=2049,rw,context=system_u:object_r:nfs_t:s0:c20
    an_nfs_server.local:/export/somedir /somedir/somemount
automount[1250]: >> mount.nfs4: access denied by server while
    mounting an_nfs_server.local:/export/somedir
automount[1250]: mount(nfs): nfs: mount failure
    an_nfs_server.local:/export/somedir on /somedir/somemount
automount[1250]: dev_ioctl_send_fail: token = 28
automount[1250]: failed to mount /somedir/somemount
automount[1250]: st_expire: state 1 path /somedir

In this case, the server had not been touched, so it made little sense that it would all of a sudden start denying a valid mount request. A lot of possibilities existed since a many components were updated between a fully patched RHEL6.2 and a RHEL6.3 install, and I had already found significant (but unrelated) issues with a number of the NFS stack modifications. However, before diving into a rabbit hole of debugging NFS, I tried running the mount outside of autofs, using the exact options from automount. When that worked, the problem scope shrank significantly.

I will leave out the irrelevant details. In the end, it was starting to feel like an selinux denial issue, but nothing was showing up in /var/log/audit/audit.log or /var/log/debug. I used semodule to rebuild the policy without the dontaudit rules

$ semodule -DB

and sure enough, the AVC listed above showed up. A trip through audit2allow made it clear this was not going to be a two minute fix.

Next up, part 3: Locating the troublesome constraint.