Bug 194061
Summary: | autofs fails to start with selinux in enforcing mode | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stephen Tweedie <sct> | ||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | james.antill | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2006-06-15 22:35:33 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Stephen Tweedie
2006-06-05 14:53:50 UTC
Created attachment 130508 [details]
Kernel log of AVC denials
autofs should not be execing modprobe. If I have to allow autofs to do this, all bets are off. Things like modprobe should be done in the initscript not by the executable. It gives too much power to the application. Dan This is fixed as of 4.1.4-9. How on earth can a bug in autofs-5.0.0_beta4-3 be fixed in version 4.1.4-9? autofs still will not start in enforcing mode current rawhide after a full relabel: autofs-5.0.0_beta4-10 kernel-2.6.16-1.2273_FC6 selinux-policy-targeted-2.2.46-2 Latest AVC denials on attempting it: Starting automount: audit(1150320735.957:8): avc: denied { sys_admin } for pid=2223 comm="automount" capability=21 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:system_r:automount_t:s0 tclass=capability audit(1150320736.097:9): avc: denied { sys_admin } for pid=2226 comm="automount" capability=21 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:system_r:automount_t:s0 tclass=capability audit(1150320736.177:10): avc: denied { mounton } for pid=2229 comm="automount" name="local" dev=dm-8 ino=1245185 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir audit(1150320736.281:11): avc: denied { mounton } for pid=2230 comm="automount" name="home" dev=dm-8 ino=851969 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir [root ~]# service autofs start Starting automount: [FAILED] [root ~]# service autofs start Starting automount: [FAILED] [root ~]# setenforce 0 [root ~]# service autofs start Starting automount: [ OK ] [root ~]# But at least the "modprobe" is gone, and the remaining denials look like policy problems: reassigning. Fixed in selinux-policy-targeted-2.2.47-1 |