Bug 1373877

Summary: Can't write to USB flash devices with ext2 file system
Product: Red Hat Enterprise Linux 7 Reporter: Andrey <zyx1984>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.2CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, zpytela, zyx1984
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-28 19:13:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Andrey 2016-09-07 11:05:57 UTC 
Description of problem:
After formatting USB drive to ext2 file system you can't write to it.
There is no problem with FAT or NTFS file systems.
Selinux contexts after mounting USB drive with different file systems are:
FAT - dosfs_t
NTFS - fusefs_t
EXT2 - unlabeled_t

How reproducible:
always

Steps to Reproduce:
1. Format USB flash drive to ext2 file system with gparted or fdisk.
2. Mount it with file manger.
3. Try to create file or folder on it.

Actual results:
Permission denied

Expected results:
Create file or folder

Additional info:
#cat /etc/selinux/targeted/contexts/removable_context
system_u:object_r:removable_t:s0
Comment 2 Milos Malik 2016-09-07 13:44:41 UTC 
Could you collect SELinux denials and attach them here?

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
Comment 3 Andrey 2016-09-07 14:06:27 UTC 
In file manager Create Folder button on that drive is disabled

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
<no matches>

# mount | grep sdb1
/dev/sdb1 on /run/media/user/81fc8393-b382-45e8-b59f-50f743fccf3b type ext2 (rw,nosuid,nodev,relatime,seclabel,uhelper=udisks2)

# ls -lZ /var/run/media/user
drwxr-xr-x. root root system_u:object_r:unlabeled_t:s0 81fc8393-b382-45e8-b59f-50f743fccf3b

# ls -lZ /var/run/media/user/81fc8393-b382-45e8-b59f-50f743fccf3b/
drwx------. root root system_u:object_r:unlabeled_t:s0 lost+found

dmesg output:
[  644.489057] usb 1-1: new high-speed USB device number 2 using ehci-pci
[  644.626165] usb 1-1: New USB device found, idVendor=0951, idProduct=1665
[  644.626171] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  644.626174] usb 1-1: Product: DataTraveler 2.0
[  644.626176] usb 1-1: Manufacturer: Kingston
[  644.626179] usb 1-1: SerialNumber: 50E549C695B3BE70A98B0650
[  644.781209] usb-storage 1-1:1.0: USB Mass Storage device detected
[  644.782992] scsi host3: usb-storage 1-1:1.0
[  644.783080] usbcore: registered new interface driver usb-storage
[  645.786167] scsi 3:0:0:0: Direct-Access     Kingston DataTraveler 2.0 PMAP PQ: 0 ANSI: 6
[  645.788631] sd 3:0:0:0: Attached scsi generic sg2 type 0
[  645.800211] sd 3:0:0:0: [sdb] 30490624 512-byte logical blocks: (15.6 GB/14.5 GiB)
[  645.807341] sd 3:0:0:0: [sdb] Write Protect is off
[  645.807348] sd 3:0:0:0: [sdb] Mode Sense: 23 00 00 00
[  645.814511] sd 3:0:0:0: [sdb] No Caching mode page found
[  645.814516] sd 3:0:0:0: [sdb] Assuming drive cache: write through
[  645.914919]  sdb: sdb1
[  645.963877] sd 3:0:0:0: [sdb] Attached SCSI removable disk
[  646.687779] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
[  647.251687] EXT4-fs (sdb1): mounting ext2 file system using the ext4 subsystem
[  647.308435] EXT4-fs (sdb1): mounted filesystem without journal. Opts: (null)
[  647.308454] SELinux: initialized (dev sdb1, type ext2), uses xattr
[  827.975106] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Comment 5 Lukas Vrabec 2016-09-12 08:56:40 UTC 
Could you attach version of selinux-policy rpm?
Comment 6 Andrey 2016-09-12 09:10:49 UTC 
(In reply to Lukas Vrabec from comment #5)
> Could you attach version of selinux-policy rpm?

selinux-policy-3.13.1-60.el7_2.7.src.rpm
Comment 10 Lukas Vrabec 2018-06-25 16:08:30 UTC 
Milos,

Are we able to reproduce it? 

Lukas.
Comment 11 Milos Malik 2018-06-26 06:43:35 UTC 
Command (m for help): p

Disk /dev/sda: 4026 MB, 4026531840 bytes, 7864320 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x3eadf52d

   Device Boot      Start         End      Blocks   Id  System

Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): p
Partition number (1-4, default 1): 
First sector (2048-7864319, default 2048): 
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-7864319, default 7864319): 
Using default value 7864319
Partition 1 of type Linux and of size 3.8 GiB is set

Command (m for help): p

Disk /dev/sda: 4026 MB, 4026531840 bytes, 7864320 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x3eadf52d

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1            2048     7864319     3931136   83  Linux

Command (m for help): m
Command action
   a   toggle a bootable flag
   b   edit bsd disklabel
   c   toggle the dos compatibility flag
   d   delete a partition
   g   create a new empty GPT partition table
   G   create an IRIX (SGI) partition table
   l   list known partition types
   m   print this menu
   n   add a new partition
   o   create a new empty DOS partition table
   p   print the partition table
   q   quit without saving changes
   s   create a new empty Sun disklabel
   t   change a partition's system id
   u   change display/entry units
   v   verify the partition table
   w   write table to disk and exit
   x   extra functionality (experts only)

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.
# stat /dev/sda1
  File: ‘/dev/sda1’
  Size: 0         	Blocks: 0          IO Block: 4096   block special file
Device: 6h/6d	Inode: 47609       Links: 1     Device type: 8,1
Access: (0660/brw-rw----)  Uid: (    0/    root)   Gid: (    6/    disk)
Context: system_u:object_r:fixed_disk_device_t:s0
Access: 2018-06-26 08:37:29.513120283 +0200
Modify: 2018-06-26 08:37:29.513120283 +0200
Change: 2018-06-26 08:37:29.513120283 +0200
 Birth: -
# mkfs.ext2 /dev/sda1
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
245760 inodes, 982784 blocks
49139 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1006632960
30 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done                            
Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done 

# stat /dev/sda1
  File: ‘/dev/sda1’
  Size: 0         	Blocks: 0          IO Block: 4096   block special file
Device: 6h/6d	Inode: 47609       Links: 1     Device type: 8,1
Access: (0660/brw-rw----)  Uid: (    0/    root)   Gid: (    6/    disk)
Context: system_u:object_r:fixed_disk_device_t:s0
Access: 2018-06-26 08:38:14.552509236 +0200
Modify: 2018-06-26 08:38:14.552509236 +0200
Change: 2018-06-26 08:38:14.552509236 +0200
 Birth: -
# mount /dev/sda1 /mnt
# mount | grep /mnt
/dev/sda1 on /mnt type ext2 (rw,relatime,seclabel,block_validity,barrier,user_xattr,acl)
# stat /mnt
  File: ‘/mnt’
  Size: 4096      	Blocks: 8          IO Block: 4096   directory
Device: 801h/2049d	Inode: 2           Links: 3
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:unlabeled_t:s0
Access: 2018-06-26 08:37:53.000000000 +0200
Modify: 2018-06-26 08:37:53.000000000 +0200
Change: 2018-06-26 08:37:53.000000000 +0200
 Birth: -
# getfattr -d -m . /mnt
# getfattr -d -m . /mnt/lost+found
# ls -Z /mnt/
drwx------. root root system_u:object_r:unlabeled_t:s0 lost+found
# 

There are no SELinux labels on the formatted USB flash device, until you run restorecon:

# restorecon -Rv /mnt
restorecon reset /mnt context system_u:object_r:unlabeled_t:s0->system_u:object_r:mnt_t:s0
restorecon reset /mnt/lost+found context system_u:object_r:unlabeled_t:s0->system_u:object_r:mnt_t:s0
# ls -Z /mnt/
drwx------. root root system_u:object_r:mnt_t:s0       lost+found
# getfattr -d -m . /mnt
getfattr: Removing leading '/' from absolute path names
# file: mnt
security.selinux="system_u:object_r:mnt_t:s0"

# getfattr -d -m . /mnt/lost+found
getfattr: Removing leading '/' from absolute path names
# file: mnt/lost+found
security.selinux="system_u:object_r:mnt_t:s0"

#
Comment 13 Zdenek Pytela 2019-02-28 19:13:46 UTC 
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.