Bug 1869028

Summary: units with private mount namespaces (like cockpit.service) fail with exfat volume mounted: avc: denied { remount }
Product: [Fedora] Fedora Reporter: Jason Montleon <jmontleo>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 32CC: dperpeet, dwalsh, grepl.miroslav, ichavero, lvrabec, mmalik, mpitt, plautrba, pvolpe, stefw, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-09 07:18:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jason Montleon 2020-08-15 15:41:29 UTC 
Description of problem:
cockpit fails with an exfat volume mounted

Version-Release number of selected component (if applicable):
cockpit-225-1.fc32.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install Fedora 32 with cockpit
2. Mount an exfat volume under /mnt
3. Try to connect to cockpit

Actual results:
page is unavailable. Further investigation shows the service failed.

Expected results:
Cockpit works.

Additional info:
The errors are:
systemd[9510]: cockpit.service: Failed to set up mount namespacing: /run/systemd/unit-root/: Permission denied
systemd[9510]: cockpit.service: Failed at step NAMESPACE spawning /usr/libexec/cockpit-tls: Permission denied

# systemctl -t service | grep cockpit
● cockpit.service                                       loaded failed failed  Cockpit Web Service                                                          
# umount /mnt
# systemctl restart cockpit
# systemctl -t service | grep cockpit
  cockpit.service                                       loaded active running Cockpit Web Service                                                          
# mount /dev/sdi1 /mnt
# systemctl restart cockpit
# systemctl -t service | grep cockpit
● cockpit.service                                       loaded failed failed  Cockpit Web Service
Comment 1 Jason Montleon 2020-08-15 15:45:38 UTC 
selinux denials:
type=AVC msg=audit(1597504784.924:3423): avc:  denied  { remount } for  pid=7794 comm="(kpit-tls)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=0

# audit2allow -m cockpit-custom < cockpit-custom.log 

module cockpit-custom 1.0;

require {
	type unlabeled_t;
	type init_t;
	class filesystem remount;
}

#============= init_t ==============
allow init_t unlabeled_t:filesystem remount;
Comment 2 Martin Pitt 2020-09-09 06:45:55 UTC 
I can reproduce this perfectly well, thanks for the report!

Reproducer for creating exfat volume:

dnf install https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-32.noarch.rpm
dnf install -y exfat-utils
modprobe scsi_debug dev_size_mb=100
mkfs.exfat /dev/sda   # make TRIPLE SURE that this is the scsi_debug disk, not a real one!

Then,

mount /dev/sda /mnt
systemctl start cockpit

reproduces the bug.

This already happens in systemd, as it tries to set up a private mount namespace due to 

ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true

This is a legitimate operation in systemd, so it should be supported in the SELinux policy.


selinux-policy-3.14.5-43.fc32.noarch
systemd-245.7-1.fc32.x86_64
Comment 3 Zdenek Pytela 2020-09-09 07:18:15 UTC 

*** This bug has been marked as a duplicate of bug 1874836 ***