On Thu, Jul 22, 2021 at 09:57:22AM -0400, Kaleb Keithley wrote:
In general I've never had any issues exporting arbitrary
directories when
running ganesha as root.
You aren't, by any chance, trying to run ganesha as non-root?
No, it's running as root, and it's definitely an selinux issue. First,
nfs-ganesha-selinux is installed:
[root@nfs1 data]# rpm -q nfs-ganesha-selinux
nfs-ganesha-selinux-3.5-7.fc34.noarch
With enforcing turned on, running nfs-ganesha results in:
posix_get_fsid :FSAL :CRIT :stat_fs of /dev/shm resulted in error Permission
denied(13)
posix_get_fsid :FSAL :CRIT :stat_fs of /run resulted in error Permission denied(13)
posix_get_fsid :FSAL :CRIT :stat_fs of /sys/fs/cgroup resulted in error Permission
denied(13)
posix_get_fsid :FSAL :CRIT :stat_fs of / resulted in error Permission denied(13)
posix_get_fsid :FSAL :CRIT :stat_fs of /tmp resulted in error Permission denied(13)
claim_posix_filesystems :FSAL :CRIT :Could not stat directory for path /data
vfs_create_export :FSAL :CRIT :resolve_posix_filesystem(/data) returned Permission
denied (13)
mdcache_fsal_create_export :FSAL :MAJ :Failed to call create_export on underlying FSAL
VFS
fsal_cfg_commit :CONFIG :CRIT :Could not create export for (/data) to (/data)
With `setenforce 0` in effect, ganesha is able to export the directory
successfully and `audit2allow -a` results in:
#============= ganesha_t ==============
allow ganesha_t fuse_device_t:chr_file getattr;
#!!!! This avc can be allowed using the boolean 'ganesha_use_fusefs'
allow ganesha_t fusefs_t:dir getattr;
#!!!! This avc can be allowed using the boolean 'ganesha_use_fusefs'
allow ganesha_t fusefs_t:filesystem getattr;
allow ganesha_t tracefs_t:dir getattr;
allow ganesha_t tracefs_t:filesystem getattr;
allow ganesha_t unlabeled_t:dir { getattr open read search };
--
Lars Kellogg-Stedman <lars(a)redhat.com> | larsks @ {irc,twitter,github}
http://blog.oddbit.com/ | N1LKS