Bug 1874836

Summary: SELinux is preventing (-localed) from remount access on the filesystem while exfat drive is mounted
Product: [Fedora] Fedora Reporter: mershl <mweires>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: 32CC: aziz, dwalsh, grepl.miroslav, jmontleo, lvrabec, mmalik, plautrba, travier, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.5-44.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-05 17:32:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description mershl 2020-09-02 11:39:26 UTC 
Description of problem:
SELinux denies remount access for localed while exfat drive is mounted resulting in relying software failing.

Version-Release number of selected component:
selinux-policy-3.14.5-43.fc32.noarch

How reproducible:
Every time.

Steps to Reproduce:
1. Connect exfat drive. Automounted. See /etc/mtab below.
2. Open gnome-settings.
3. Switch to About tab.
4. SELinux denials are visible (remount access denied for localed).

Actual results:
setroubleshoot shows: "SELinux is preventing (-localed) from remount access on the filesystem."
localed.service is failing while in Enforcing mode.

Expected results:
localed.service start without errors. No SELinux denials.

/etc/mtab:
/dev/sde2 /run/media/mershl/MyPassport exfat rw,nosuid,nodev,relatime,uid=1000,gid=1000,fmask=0022,dmask=0022,iocharset=utf8,errors=remount-ro 0 0
Comment 1 Zdenek Pytela 2020-09-02 12:36:40 UTC 
Hi,

Could you show the actual AVC denials?

  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err

I suppose this is related:
https://github.com/fedora-selinux/selinux-policy/pull/425
Comment 2 Timothée Ravier 2020-09-02 13:17:16 UTC 
It is indeed related as a first try/guess to fixing the issue :).
Comment 3 mershl 2020-09-02 13:47:15 UTC 
Hi,

Filtered to the last 8 denials:

# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err
 
type=AVC msg=audit(02.09.2020 12:19:42.601:283) : avc:  denied  { remount } for  pid=7820 comm=(geoclue) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=0 
----
type=AVC msg=audit(02.09.2020 12:19:42.874:287) : avc:  denied  { remount } for  pid=7963 comm=(ostnamed) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=0 
----
type=AVC msg=audit(02.09.2020 12:23:12.549:239) : avc:  denied  { remount } for  pid=6680 comm=(-localed) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=0 
----
type=AVC msg=audit(02.09.2020 12:33:27.634:235) : avc:  denied  { remount } for  pid=7790 comm=(ostnamed) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(02.09.2020 12:43:02.530:265) : avc:  denied  { remount } for  pid=11154 comm=(ostnamed) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(02.09.2020 12:45:15.953:215) : avc:  denied  { remount } for  pid=6834 comm=(imedated) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(02.09.2020 15:42:54.752:232) : avc:  denied  { remount } for  pid=7007 comm=(ostnamed) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(02.09.2020 15:43:47.543:247) : avc:  denied  { remount } for  pid=7661 comm=(ostnamed) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
Comment 4 Zdenek Pytela 2020-09-03 04:53:14 UTC 
*** Bug 1875027 has been marked as a duplicate of this bug. ***
Comment 5 Zdenek Pytela 2020-09-09 07:18:15 UTC 
*** Bug 1869028 has been marked as a duplicate of this bug. ***
Comment 6 Jason Montleon 2020-09-09 17:31:30 UTC 
*** Bug 1869039 has been marked as a duplicate of this bug. ***
Comment 7 Zdenek Pytela 2020-09-21 14:51:43 UTC 
commit 192d78550f4e832be2ce4be66d0f84d3bf61304a (HEAD -> f32, upstream/f32)
Author: Timothée Ravier <travier>
Date:   Wed Sep 2 13:28:32 2020 +0200

    kernel/filesystem: Add exfat support (no extended attributes)
    
    According to [1], the exfat filesystem does not support extended
    attributes so it should be handled like fat/vfat/ntfs.
    
    [1] https://en.wikipedia.org/wiki/Comparison_of_file_systems
    
    Resolves: rhbz#1874836
Comment 8 Fedora Update System 2020-10-02 07:03:49 UTC 
FEDORA-2020-9896f80cf0 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0
Comment 9 Fedora Update System 2020-10-03 02:09:07 UTC 
FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-9896f80cf0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2020-10-05 17:32:43 UTC 
FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.