On Thu, Jul 22, 2021 at 10:03 AM Lars Kellogg-Stedman <
lars@redhat.com> wrote:
On Thu, Jul 22, 2021 at 09:57:22AM -0400, Kaleb Keithley wrote:
> In general I've never had any issues exporting arbitrary directories when
> running ganesha as root.
>
> You aren't, by any chance, trying to run ganesha as non-root?
No, it's running as root, and it's definitely an selinux issue. First,
nfs-ganesha-selinux is installed:
[root@nfs1 data]# rpm -q nfs-ganesha-selinux
nfs-ganesha-selinux-3.5-7.fc34.noarch
With enforcing turned on, running nfs-ganesha results in:
posix_get_fsid :FSAL :CRIT :stat_fs of /dev/shm resulted in error Permission denied(13)
posix_get_fsid :FSAL :CRIT :stat_fs of /run resulted in error Permission denied(13)
posix_get_fsid :FSAL :CRIT :stat_fs of /sys/fs/cgroup resulted in error Permission denied(13)
posix_get_fsid :FSAL :CRIT :stat_fs of / resulted in error Permission denied(13)
posix_get_fsid :FSAL :CRIT :stat_fs of /tmp resulted in error Permission denied(13)
Those are just ganesha probing the file system(s) to, IIRC, build a table of file systems on the box. Despite being logged CRIT those should not be fatal.
claim_posix_filesystems :FSAL :CRIT :Could not stat directory for path /data
vfs_create_export :FSAL :CRIT :resolve_posix_filesystem(/data) returned Permission denied (13)
mdcache_fsal_create_export :FSAL :MAJ :Failed to call create_export on underlying FSAL VFS
fsal_cfg_commit :CONFIG :CRIT :Could not create export for (/data) to (/data)
I think you've seen Dan's suggestion to make sure this directory is tagged with ganesha_t.
--
Lars Kellogg-Stedman <lars@redhat.com> | larsks @ {irc,twitter,github}
http://blog.oddbit.com/ | N1LKS
With `setenforce 0` in effect, ganesha is able to export the directory
successfully and `audit2allow -a` results in:
#============= ganesha_t ==============
allow ganesha_t fuse_device_t:chr_file getattr;
#!!!! This avc can be allowed using the boolean 'ganesha_use_fusefs'
allow ganesha_t fusefs_t:dir getattr;
#!!!! This avc can be allowed using the boolean 'ganesha_use_fusefs'
allow ganesha_t fusefs_t:filesystem getattr;
allow ganesha_t tracefs_t:dir getattr;
allow ganesha_t tracefs_t:filesystem getattr;
allow ganesha_t unlabeled_t:dir { getattr open read search };
Those are pretty standard, e.g. when running a ganesha cluster for gluster, where there are several files stored on the gluster shared volume mounted on /run/gluster/shared_storage/nfs-ganesha that ganesha needs rw access.
If the /data directory that you're trying to export is a fuse volume, you can fix this by running
# setsebool -P ganesha_use_fusefs on
before starting ganesha. Note that this is not on by default, because security. I.e. we lock things down and only open them when necessary.
--
Lars Kellogg-Stedman <lars@redhat.com> | larsks @ {irc,twitter,github}
http://blog.oddbit.com/ | N1LKS