Bug 1161601

Summary: selinux breaks pam_mount umounting from gdm
Product: [Fedora] Fedora Reporter: Till Maas <opensource>
Component: pam_mountAssignee: Till Maas <opensource>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: dominick.grift, dwalsh, jpazdziora, lvrabec, mgrepl, opensource, plautrba, steve
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pam_mount-2.14-4.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-12 04:16:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Till Maas 2014-11-07 13:08:19 UTC 
Version:
selinux-policy-3.12.1-192.fc20.noarch

AVCs:
type=AVC msg=audit(1415363347.186:393): avc:  denied  { read } for
pid=3297 comm="umount.crypt" name="cmtab" dev="tmpfs" ino=25814
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=file permissive=0  


type=SYSCALL msg=audit(1415363347.186:393): arch=x86_64 syscall=open   
success=no exit=EACCES a0=4067dc a1=0 a2=1b6 a3=7fffacb2a070 items=0
ppid=2606 pid=3297 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0
egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=2 comm=umount.crypt
exe=/usr/sbin/mount.crypt subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)

type=AVC msg=audit(1415200701.447:717): avc:  denied  { search } for
pid=3019 comm="login" name="mount" dev="tmpfs" ino=9273
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1415200701.447:717): arch=x86_64 syscall=stat
success=no exit=EACCES a0=7f2f62c49bc0 a1=7fff3677bfa0 a2=7fff3677bfa0
a3=0 items=0 ppid=1 pid=3019 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm=login
exe=/usr/bin/login subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
key=(null)
----
time->Fri Nov  7 13:38:56 2014
type=PROCTITLE msg=audit(1415363936.988:431): proctitle=67646D2D73657373696F6E2D776F726B6572205B70616D2F67646D2D70617373776F72645D
type=SYSCALL msg=audit(1415363936.988:431): arch=c000003e syscall=6 success=yes exit=0 a0=7faf966c2bc0 a1=7fff5338c490 a2=7fff5338c490 a3=0 items=0 ppid=3893 pid=4140 auid=4294967295 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363936.988:431): avc:  denied  { getattr } for  pid=4140 comm="gdm-session-wor" path="/run/mount/utab" dev="tmpfs" ino=1699 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file permissive=1
----
time->Fri Nov  7 13:38:56 2014
type=PROCTITLE msg=audit(1415363936.991:432): proctitle=67646D2D73657373696F6E2D776F726B6572205B70616D2F67646D2D70617373776F72645D
type=SYSCALL msg=audit(1415363936.991:432): arch=c000003e syscall=2 success=yes exit=13 a0=7faf966c2bc0 a1=80042 a2=1a4 a3=0 items=0 ppid=3893 pid=4140 auid=4294967295 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363936.991:432): avc:  denied  { open } for  pid=4140 comm="gdm-session-wor" path="/run/mount/utab" dev="tmpfs" ino=1699 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1415363936.991:432): avc:  denied  { read write } for  pid=4140 comm="gdm-session-wor" name="utab" dev="tmpfs" ino=1699 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file permissive=1
----
time->Fri Nov  7 13:39:15 2014
type=PROCTITLE msg=audit(1415363955.926:441): proctitle=756D6F756E742E6372797074002F686F6D652F
type=SYSCALL msg=audit(1415363955.926:441): arch=c000003e syscall=2 success=yes exit=3 a0=4067dc a1=0 a2=1b6 a3=7fff77618bf0 items=0 ppid=4140 pid=4819 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=3 comm="umount.crypt" exe="/usr/sbin/mount.crypt" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363955.926:441): avc:  denied  { open } for  pid=4819 comm="umount.crypt" path="/run/cmtab" dev="tmpfs" ino=25814 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1415363955.926:441): avc:  denied  { read } for  pid=4819 comm="umount.crypt" name="cmtab" dev="tmpfs" ino=25814 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=file permissive=1
----
time->Fri Nov  7 13:39:15 2014
type=PROCTITLE msg=audit(1415363955.926:442): proctitle=756D6F756E742E6372797074002F686F6D652F
type=SYSCALL msg=audit(1415363955.926:442): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=7 a2=7fff77618e80 a3=7fff77618bf0 items=0 ppid=4140 pid=4819 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=3 comm="umount.crypt" exe="/usr/sbin/mount.crypt" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363955.926:442): avc:  denied  { lock } for  pid=4819 comm="umount.crypt" path="/run/cmtab" dev="tmpfs" ino=25814 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=file permissive=1
----
time->Fri Nov  7 13:39:15 2014
type=PROCTITLE msg=audit(1415363955.926:443): proctitle=756D6F756E742E6372797074002F686F6D652F
type=SYSCALL msg=audit(1415363955.926:443): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff77618880 a2=7fff77618880 a3=0 items=0 ppid=4140 pid=4819 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=3 comm="umount.crypt" exe="/usr/sbin/mount.crypt" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363955.926:443): avc:  denied  { getattr } for  pid=4819 comm="umount.crypt" path="/run/cmtab" dev="tmpfs" ino=25814 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=file permissive=1
----
time->Fri Nov  7 13:39:15 2014
type=PROCTITLE msg=audit(1415363955.927:444): proctitle=756D6F756E742E6372797074002F686F6D652F
type=SYSCALL msg=audit(1415363955.927:444): arch=c000003e syscall=2 success=yes exit=3 a0=4067dc a1=2 a2=1b6 a3=0 items=0 ppid=4140 pid=4819 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=3 comm="umount.crypt" exe="/usr/sbin/mount.crypt" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363955.927:444): avc:  denied  { write } for  pid=4819 comm="umount.crypt" name="cmtab" dev="tmpfs" ino=25814 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=file permissive=1
----
time->Fri Nov  7 13:39:16 2014
type=PROCTITLE msg=audit(1415363956.261:445): proctitle=756D6F756E742E6372797074002F686F6D652F
type=SYSCALL msg=audit(1415363956.261:445): arch=c000003e syscall=4 success=yes exit=0 a0=7fff77617970 a1=7fff776178e0 a2=7fff776178e0 a3=7fff77617670 items=0 ppid=4140 pid=4819 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=3 comm="umount.crypt" exe="/usr/sbin/mount.crypt" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363956.261:445): avc:  denied  { getattr } for  pid=4819 comm="umount.crypt" path="/dev/mapper/control" dev="devtmpfs" ino=1221 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
----
time->Fri Nov  7 13:39:16 2014
type=PROCTITLE msg=audit(1415363956.261:446): proctitle=756D6F756E742E6372797074002F686F6D652F
type=SYSCALL msg=audit(1415363956.261:446): arch=c000003e syscall=2 success=yes exit=3 a0=7fff77617970 a1=2 a2=0 a3=7fff77617670 items=0 ppid=4140 pid=4819 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=3 comm="umount.crypt" exe="/usr/sbin/mount.crypt" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363956.261:446): avc:  denied  { open } for  pid=4819 comm="umount.crypt" path="/dev/mapper/control" dev="devtmpfs" ino=1221 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1415363956.261:446): avc:  denied  { read write } for  pid=4819 comm="umount.crypt" name="control" dev="devtmpfs" ino=1221 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
----
time->Fri Nov  7 13:39:16 2014
type=PROCTITLE msg=audit(1415363956.262:447): proctitle=756D6F756E742E6372797074002F686F6D652F
type=SYSCALL msg=audit(1415363956.262:447): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=c138fd00 a2=bd5560 a3=7fff77618770 items=0 ppid=4140 pid=4819 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=3 comm="umount.crypt" exe="/usr/sbin/mount.crypt" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363956.262:447): avc:  denied  { ioctl } for  pid=4819 comm="umount.crypt" path="/dev/mapper/control" dev="devtmpfs" ino=1221 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
----
time->Fri Nov  7 13:39:16 2014
type=PROCTITLE msg=audit(1415363956.262:448): proctitle=756D6F756E742E6372797074002F686F6D652F
type=SYSCALL msg=audit(1415363956.262:448): arch=c000003e syscall=66 success=yes exit=0 a0=0 a1=0 a2=13 a3=7fff77618c40 items=0 ppid=4140 pid=4819 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=3 comm="umount.crypt" exe="/usr/sbin/mount.crypt" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363956.262:448): avc:  denied  { ipc_info } for  pid=4819 comm="umount.crypt" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1
Comment 1 Miroslav Grepl 2014-11-07 15:34:07 UTC 
Dominick,
have we ever had a discuss on this issue or am I wrong?
Comment 2 Miroslav Grepl 2014-11-07 15:40:16 UTC 
I thought we had changed pam_mount to execute /bin/umount rather then /bin/umount.crypt?
Comment 3 Till Maas 2014-11-07 16:12:45 UTC 
(In reply to Miroslav Grepl from comment #2)
> I thought we had changed pam_mount to execute /bin/umount rather then
> /bin/umount.crypt?

It seems that this was reverted by upstream when utab support became a requirement to get umount call umount.crypt.
Comment 4 Jan Pazdziora (Red Hat) 2014-11-11 13:07:28 UTC 
What pam_mount.conf.xml do you use? I upgraded to latest selinux-policy-3.12.1-193.fc20 and I do not see any AVC denial. On the other hand, I'm struggling with bug 1086822 even with older selinux-policy and I assume that in my case, the attempt to umount does not even happen.

What is your exact configuration that allows you to trigger the issue?
Comment 5 Till Maas 2014-11-26 20:02:20 UTC 
I prepared an initial patch for pam_mount to get plain umount work again. I just submitted in upstream for review.
Comment 6 Fedora Update System 2014-11-28 10:31:26 UTC 
pam_mount-2.14-4.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/pam_mount-2.14-4.fc19
Comment 7 Fedora Update System 2014-11-28 10:31:33 UTC 
pam_mount-2.14-4.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/pam_mount-2.14-4.fc20
Comment 8 Fedora Update System 2014-11-28 10:31:40 UTC 
pam_mount-2.14-4.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/pam_mount-2.14-4.fc21
Comment 9 Fedora Update System 2014-11-29 21:00:00 UTC 
Package pam_mount-2.14-4.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pam_mount-2.14-4.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-15949/pam_mount-2.14-4.fc21
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2014-12-12 04:16:33 UTC 
pam_mount-2.14-4.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2014-12-12 04:21:21 UTC 
pam_mount-2.14-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2014-12-12 04:28:35 UTC 
pam_mount-2.14-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.