Bug 1167759

Summary: selinux denies pam_mount to mount home on Fedora 21
Product: [Fedora] Fedora Reporter: Jan Safranek <jsafrane>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 21CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-105.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-30 23:55:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Safranek 2014-11-25 11:17:45 UTC 
SElinux denies pam_mount to mount my home directory on login. I tried both kdm and console login (/usr/bin/login?).

$ ausearch -m AVC -ts today

----
time->Tue Nov 25 11:01:38 2014
type=PROCTITLE msg=audit(1416909698.047:1076): proctitle="-:0"
type=SYSCALL msg=audit(1416909698.047:1076): arch=c000003e syscall=4 success=yes exit=0 a0=7f1d00f97749 a1=7fff83d463b0 a2=7fff83d463b0 a3=0 items=0 ppid=951 pid=1523 auid=1000 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1416909698.047:1076): avc:  denied  { getattr } for  pid=1523 comm="kdm" path="/run/mount/utab" dev="tmpfs" ino=12358 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file permissive=1
----
time->Tue Nov 25 11:01:38 2014
type=PROCTITLE msg=audit(1416909698.049:1077): proctitle=6D6F756E74002D746175746F002F6465762F7373642F6A73616672616E65002F686F6D652F6A73616672616E65002D6F63727970746F5F6E616D653D686F6D655F636C6561722C646973636172642C6E6F64697363617264
type=SYSCALL msg=audit(1416909698.049:1077): arch=c000003e syscall=59 success=yes exit=0 a0=7fff83d464bc a1=7f1d0726c460 a2=7f1d07266750 a3=7f1d049522c0 items=0 ppid=1523 pid=2940 auid=1000 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="mount" exe="/usr/bin/mount" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1416909698.049:1077): avc:  denied  { entrypoint } for  pid=2940 comm="kdm" path="/usr/bin/mount" dev="dm-1" ino=397318 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Tue Nov 25 11:52:53 2014
type=PROCTITLE msg=audit(1416912773.716:1517): proctitle=2F62696E2F6C6F67696E002D2D002020202020202020
type=SYSCALL msg=audit(1416912773.716:1517): arch=c000003e syscall=4 success=yes exit=0 a0=7f7ab43c9749 a1=7fffb8a41cd0 a2=7fffb8a41cd0 a3=0 items=0 ppid=1 pid=4784 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 ses=3 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1416912773.716:1517): avc:  denied  { getattr } for  pid=4784 comm="login" path="/run/mount/utab" dev="tmpfs" ino=12358 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file permissive=1
----
time->Tue Nov 25 11:52:53 2014
type=PROCTITLE msg=audit(1416912773.717:1518): proctitle=6D6F756E74002D746175746F002F6465762F7373642F6A73616672616E65002F686F6D652F6A73616672616E65002D6F63727970746F5F6E616D653D686F6D655F636C6561722C646973636172642C6E6F64697363617264
type=SYSCALL msg=audit(1416912773.717:1518): arch=c000003e syscall=59 success=yes exit=0 a0=7fffb8a41ddc a1=14f5fd0 a2=14f0560 a3=7f7ab5637310 items=0 ppid=4784 pid=4802 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="mount" exe="/usr/bin/mount" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1416912773.717:1518): avc:  denied  { entrypoint } for  pid=4802 comm="login" path="/usr/bin/mount" dev="dm-1" ino=397318 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Tue Nov 25 11:53:47 2014
type=PROCTITLE msg=audit(1416912827.262:1536): proctitle=2F62696E2F6C6F67696E002D2D002020202020202020
type=SYSCALL msg=audit(1416912827.262:1536): arch=c000003e syscall=4 success=yes exit=0 a0=7f1c26633749 a1=7fff8ffbcfc0 a2=7fff8ffbcfc0 a3=0 items=0 ppid=1 pid=5017 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 ses=4 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1416912827.262:1536): avc:  denied  { getattr } for  pid=5017 comm="login" path="/run/mount/utab" dev="tmpfs" ino=12358 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file permissive=1
----
time->Tue Nov 25 11:53:47 2014
type=PROCTITLE msg=audit(1416912827.262:1537): proctitle=6D6F756E74002D746175746F002F6465762F7373642F6A73616672616E65002F686F6D652F6A73616672616E65002D6F63727970746F5F6E616D653D686F6D655F636C6561722C646973636172642C6E6F64697363617264
type=SYSCALL msg=audit(1416912827.262:1537): arch=c000003e syscall=59 success=yes exit=0 a0=7fff8ffbd0cc a1=aa4fd0 a2=a9f560 a3=7f1c278a1310 items=0 ppid=5017 pid=5033 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="mount" exe="/usr/bin/mount" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1416912827.262:1537): avc:  denied  { entrypoint } for  pid=5033 comm="login" path="/usr/bin/mount" dev="dm-1" ino=397318 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1


I updated my Fedora from 20 to 21 and relabeled all files. 

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-92.fc21.noarch. 

Additional info:
It's somewhat related to following bugs:
#998129 - here the reporter on F20 sees some errors, but his home is mounted. My home is not mounted.
#1009668 - here the denied program runs as user_t / staff_t. My kdm runs as xdm_t and login runs as local_login_t. Somewhere in the process these contexts are lost and unconfined_t tries to exec /usr/bin/mount.
Comment 1 Daniel Walsh 2015-01-02 14:57:30 UTC 
a8041e60fdc0a38ae58991fc707ae9af8cdb7524 fixes this in git.
Comment 2 Fedora Update System 2015-01-27 16:50:07 UTC 
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21
Comment 3 Fedora Update System 2015-01-30 04:32:59 UTC 
Package selinux-policy-3.13.1-105.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2015-01-30 23:55:26 UTC 
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.