Bug 194061
| Summary: | autofs fails to start with selinux in enforcing mode | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Stephen Tweedie <sct> | ||||
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | rawhide | CC: | james.antill | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2006-06-15 22:35:33 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 130508 [details]
Kernel log of AVC denials
autofs should not be execing modprobe. If I have to allow autofs to do this, all bets are off. Things like modprobe should be done in the initscript not by the executable. It gives too much power to the application. Dan This is fixed as of 4.1.4-9. How on earth can a bug in autofs-5.0.0_beta4-3 be fixed in version 4.1.4-9?
autofs still will not start in enforcing mode current rawhide after a full relabel:
autofs-5.0.0_beta4-10
kernel-2.6.16-1.2273_FC6
selinux-policy-targeted-2.2.46-2
Latest AVC denials on attempting it:
Starting automount: audit(1150320735.957:8): avc: denied { sys_admin } for
pid=2223 comm="automount" capability=21
scontext=system_u:system_r:automount_t:s0
tcontext=system_u:system_r:automount_t:s0 tclass=capability
audit(1150320736.097:9): avc: denied { sys_admin } for pid=2226
comm="automount" capability=21 scontext=system_u:system_r:automount_t:s0
tcontext=system_u:system_r:automount_t:s0 tclass=capability
audit(1150320736.177:10): avc: denied { mounton } for pid=2229
comm="automount" name="local" dev=dm-8 ino=1245185
scontext=system_u:system_r:automount_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=dir
audit(1150320736.281:11): avc: denied { mounton } for pid=2230
comm="automount" name="home" dev=dm-8 ino=851969
scontext=system_u:system_r:automount_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
[root ~]# service autofs start
Starting automount: [FAILED]
[root ~]# service autofs start
Starting automount: [FAILED]
[root ~]# setenforce 0
[root ~]# service autofs start
Starting automount: [ OK ]
[root ~]#
But at least the "modprobe" is gone, and the remaining denials look like policy
problems: reassigning.
Fixed in selinux-policy-targeted-2.2.47-1 |
Description of problem: On current rawhide, even after a full relabel, autofs refuses to start with enforcing targeted SELinux enabled. Version-Release number of selected component (if applicable): autofs-5.0.0_beta4-3 selinux-policy-targeted-2.2.43-3 How reproducible: 100% Steps to Reproduce: 1. Enable autofs. 2. Boot. Actual results: Lots of AVC errors, autofs fails to start. Expected results: autofs starts. Additional info: The AVC denials appear to be in two classes: a flood of what appear to be attempts to walk /proc: audit(1149519096.966:72): avc: denied { search } for pid=2401 comm="automount" name="2397" dev=proc ino=157089794 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir presumably when autofs is looking for an existing daemon to update/kill; and then an attempt to load the autofs kernel module: audit(1149519097.078:74): avc: denied { execute } for pid=2406 comm="automount" name="modprobe" dev=dm-5 ino=245865 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file Will append a full AVC log.