-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
rhel-9.6
-
No
-
Moderate
-
rhel-security-selinux
-
ssg_security
-
5
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
-
x86_64
-
None
What were you trying to do that didn't work?
Customer need to fapolicyd on an NFS server to comply with security policies (FIPS and 800.171 CUI security profile).
What is the impact of this issue to you?
Customer reports that running fapolicyd on the NFS server turns it unresponsive and causes hangs on NFS clients.
Please provide the package NVR for which the bug is seen:
- Red Hat Enterprise Linux release 9.6 (Plow)
- kernel-5.14.0-570.18.1.el9_6.x86_64
- fapolicyd-1.3.3-100.el9.x86_64
How reproducible is this bug?:
Always
Steps to reproduce
- Configure an NFS server with /home as a separate filesystem
- Configure an NFS client that mount /home from the server, ensuring that /etc/dconf/profile/user starts with a line containing "service-db:keyfile/user".
- Log in to GNOME on theNFS client
- Open gnome-terminal and run firefox
- When the firefox window opens, hit Alt-F4 to exit
Expected results
Firefox should exit immediately
Actual results
- The Firefox window closes but the process gets "hung".
- Other processes hang too (e.g. if the user hits Ctrl-Shit-T to open a new tab in gnome-terminal, it does not open).
- Sometimes, Firefox dies due to a segmentation fault.
Additional information
- Running fapolicyd in debug mode n the NFS server, we see
06/05/2025 14:48:42 [ DEBUG ]: rule=14 dec=allow perm=open auid=-1 pid=1627 exe=nfsd : path=/home/bashuser/.mozilla/firefox/sxg0zc0y.default-default/datareporting/glean/db/data.safe.tmp ftype=application/x-empty trust=0 06/05/2025 14:48:42 [ DEBUG ]: rule=14 dec=allow perm=open auid=-1 pid=1626 exe=nfsd : path=/home/bashuser/.mozilla/firefox/sxg0zc0y.default-default/sessionCheckpoints.json.tmp ftype=application/x-empty trust=0 06/05/2025 14:48:42 [ DEBUG ]: rule=14 dec=allow perm=open auid=-1 pid=1633 exe=nfsd : path=/home/bashuser/.cache/mozilla/firefox/sxg0zc0y.default-default/cache2/entries/D0F48A0632B6C451791F4257697E861961F06A6F ftype=application/x-empty trust=0 06/05/2025 14:48:42 [ DEBUG ]: rule=14 dec=allow perm=open auid=-1 pid=1615 exe=nfsd : path=/home/bashuser/.mozilla/firefox/sxg0zc0y.default-default/prefs-1.js ftype=application/x-empty trust=0 06/05/2025 14:48:42 [ DEBUG ]: rule=14 dec=allow perm=open auid=-1 pid=1625 exe=nfsd : path=/home/bashuser/.mozilla/firefox/sxg0zc0y.default-default/datareporting/glean/db/data.safe.tmp ftype=application/x-empty trust=0 [Hit Alt-F4 to close fapolicyd on the NFS client] 06/05/2025 14:49:27 [ DEBUG ]: rule=14 dec=allow perm=open auid=-1 pid=1627 exe=nfsd : path=/home/bashuser/.mozilla/firefox/sxg0zc0y.default-default/places.sqlite ftype=application/x-sqlite3 trust=0 06/05/2025 14:49:27 [ DEBUG ]: rule=14 dec=allow perm=open auid=-1 pid=1613 exe=nfsd : path=/home/bashuser/.mozilla/firefox/sxg0zc0y.default-default/places.sqlite ftype=application/x-sqlite3 trust=0 06/05/2025 14:49:27 [ DEBUG ]: rule=14 dec=allow perm=open auid=-1 pid=1626 exe=nfsd : path=/home/bashuser/.mozilla/firefox/sxg0zc0y.default-default/sessionCheckpoints.json.tmp ftype=application/x-empty trust=0 06/05/2025 14:49:27 [ DEBUG ]: rule=14 dec=allow perm=open auid=-1 pid=1625 exe=nfsd : path=/home/bashuser/.mozilla/firefox/sxg0zc0y.default-default/datareporting/glean/db/data.safe.tmp ftype=application/x-empty trust=0 06/05/2025 14:49:27 [ DEBUG ]: rule=14 dec=allow perm=open auid=-1 pid=1626 exe=nfsd : path=/home/bashuser/.mozilla/firefox/sxg0zc0y.default-default/prefs-1.js ftype=application/x-empty trust=0
- The problem can be reproduced on systems with plan RHEL 9.6. FIPS and the 800.171 CUI security profile are not the cause of the problem.
- The problem happens regardless the export options in /etc/exports.
