Bug 1414513
Summary: | SELinux is preventing /usr/sbin/automount from write access on the file mtab | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Lukas Slebodnik <lslebodn> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.9 | CC: | dwalsh, ikent, jburke, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-10-02 13:19:47 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lukas Slebodnik
2017-01-18 17:18:43 UTC
I can see this AVC mostly on i386 machine. I have no idea why. Ian, do you think it should be allowed? Do you have an idea what's going on there? (In reply to Lukas Slebodnik from comment #3) > Ian, > do you think it should be allowed? Do you have an idea what's going on there? I have to wonder why automount is trying to write to mtab. Except that automount runs as root and calls mount(8) to mount things so to that extent it must have write access but that's mount not automount doing that. So I'm not sure what's going on there, perhaps it's an open call to read the mtab, I'll have a look but I'm pretty sure I open the mount table read only when doing that. OTOH it's probably not a problem to allow it. (In reply to Ian Kent from comment #4) > (In reply to Lukas Slebodnik from comment #3) > > Ian, > > do you think it should be allowed? Do you have an idea what's going on there? > > I have to wonder why automount is trying to write to mtab. > > Except that automount runs as root and calls mount(8) to > mount things so to that extent it must have write access > but that's mount not automount doing that. > > So I'm not sure what's going on there, perhaps it's an > open call to read the mtab, I'll have a look but I'm > pretty sure I open the mount table read only when doing > that. > > OTOH it's probably not a problem to allow it. BTW I ran test 30 times on x86_64 but I could not see any AVC. It is really suspicious (In reply to Ian Kent from comment #4) > > So I'm not sure what's going on there, perhaps it's an > open call to read the mtab, I'll have a look but I'm > pretty sure I open the mount table read only when doing > that. Btw, I can't see anywhere that automount(8) opens the mtab file for write. (In reply to Ian Kent from comment #9) > (In reply to Ian Kent from comment #4) > > > > So I'm not sure what's going on there, perhaps it's an > > open call to read the mtab, I'll have a look but I'm > > pretty sure I open the mount table read only when doing > > that. > > Btw, I can't see anywhere that automount(8) opens the mtab > file for write. Do you have an idea how to debug this issue? And why the AVC is only on i386? This looks like a leaked file descriptor. Some tool that started automount opened /etc/mtab for write and then leaked the file descriptor to automount most likely. Perhaps something in the init script? Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. The official life cycle policy can be reviewed here: http://redhat.com/rhel/lifecycle This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL: https://access.redhat.com |