Bug 1570094

Summary: autofs fails to mount sshfs due to selinux
Product: [Fedora] Fedora Reporter: wdouglascampbell
Component: atomicAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: adimania, amurdaca, bbaude, dwalsh, fkluknav, lsm5, walters
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-24 13:03:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description wdouglascampbell 2018-04-20 15:51:43 UTC 
Description of problem:

Autofs fails when attempting to automount a remote filesystem using sshfs.

Version-Release number of selected component (if applicable):

  autofs-1:5.1.4-7.fc27.x86_64
  fuse-sshfs-2.8-4.fc27.x86_64
  hesiod-3.2.1-9.fc27.x86_64

How reproducible:

Always for me.

Steps to Reproduce:
1.  Configure /etc/auto.master with the following:

/mnt/sshfs /etc/auto.sshfs --timeout=30,--ghost

2.  Configure /etc/auto.sshfs with the following:

archive -fstype=fuse,ro,nodev,nonempty,noatime,allow_other,max_read=65536 :sshfs\#root.1.202\:/

3.  Configured and test public key authenticaiton to remote server at 172.16.1.202

4.  Start autofs

systemctl start autofs

Actual results:

journalctl -u autofs   gives me

Apr 20 11:30:53 atomic.zteam.biz systemd[1]: Starting Automounts filesystems on demand...
Apr 20 11:30:53 atomic.zteam.biz automount[23741]: do_mount_autofs_indirect: failed to create autofs directory /misc
Apr 20 11:30:53 atomic.zteam.biz automount[23741]: handle_mounts: mount of /misc failed!
Apr 20 11:30:53 atomic.zteam.biz automount[23741]: master_do_mount: failed to startup mount
Apr 20 11:30:53 atomic.zteam.biz automount[23741]: do_mount_autofs_indirect: failed to create autofs directory /net
Apr 20 11:30:53 atomic.zteam.biz automount[23741]: handle_mounts: mount of /net failed!
Apr 20 11:30:53 atomic.zteam.biz automount[23741]: master_do_mount: failed to startup mount
Apr 20 11:30:53 atomic.zteam.biz automount[23741]: do_mount_autofs_indirect: failed to create autofs directory /mnt/sshfs
Apr 20 11:30:53 atomic.zteam.biz automount[23741]: handle_mounts: mount of /mnt/sshfs failed!
Apr 20 11:30:53 atomic.zteam.biz automount[23741]: master_do_mount: failed to startup mount
Apr 20 11:30:53 atomic.zteam.biz systemd[1]: Started Automounts filesystems on demand.

ls -l /mnt/sshfs  is empty

Expected results:

ls -l /mnt/sshfs displays

dr-xr-xr-x. 2 root root 0 Apr 20 23:50 archive

and

ls -l /mnt/sshfs/archive  display remote filesystem


Additional info:

if I disable SELINUX with

setenforce 0

and then restart autofs

systemctl restart autofs

the automount works as expected.
Comment 1 Daniel Walsh 2018-04-21 11:12:13 UTC 
What avc messages are you seeing.

ausearch -m avc -ts recent
Comment 2 wdouglascampbell 2018-04-22 00:48:07 UTC 
I'm seeing this same message over and over again:

----
time->Sun Apr 22 08:46:36 2018
type=PROCTITLE msg=audit(1524357996.168:383131): proctitle=2F7573722F7362696E2F6175746F6D6F756E74002D2D666F726567726F756E64002D2D646F6E742D636865636B2D6461656D6F6E
type=SYSCALL msg=audit(1524357996.168:383131): arch=c000003e syscall=16 success=no exit=-13 a0=3 a1=c018937e a2=7f9a78001160 a3=0 items=0 ppid=1 pid=27780 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="automount" exe="/usr/sbin/automount" subj=system_u:system_r:automount_t:s0 key=(null)
type=AVC msg=audit(1524357996.168:383131): avc:  denied  { read } for  pid=27780 comm="automount" name="mnt" dev="dm-0" ino=23069192 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file permissive=0
Comment 3 Daniel Walsh 2018-04-23 19:48:42 UTC 
Looks like you setup a symbolic link on /mnt?  And SELinux is now allowing automount to read it?  In stead of using a symbolic link could you mount the content on /mnt or bind mount it?
Comment 4 wdouglascampbell 2018-04-24 13:03:40 UTC 
Thanks Dan!

Atomic sets up /mnt as a symbolic link to /var/mnt.  I just needed to adjust to configuration in auto.master to:

/var/mnt/sshfs /etc/auto.sshfs --timeout=30,--ghost


That fixed it.