Bug 212665
| Summary: | setroubleshoot incorrectly identifies autofs denial as file context problem | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Need Real Name <gneeki> |
| Component: | setroubleshoot-plugins | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 1.5-1 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-08-28 15:03:10 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed in setroubleshoot-1.5-1 |
Description of problem: SELinux denied access to mount to automount a remote nfs share via autofs. This is being fixed via a forthcoming policy update, but sealert incorrectly reported this as a file/directory context problem. The following avc denial was noted: avc: denied { create } for comm='"mount.nfs"' egid='0' euid='0' exe='"/sbin/mount.nfs"' exit='-13' fsgid='0' fsuid='0' gid='0' items='0' pid='21645' scontext=system_u:system_r:mount_t:s0 sgid='0' subj='system_u:system_r:mount_t:s0' suid='0' tclass='netlink_route_socket' tcontext=system_u:system_r:mount_t:s0 tty='(none)' uid='0' This denial doesn't occur always, most predictably on a second or third mount from the same host. The hypothesis for this is that automount may not always read the route table on every mount. The denial is being addressed, however, setroubleshoot/sealert incorrectly analysed this as: "SELinux prevented /sbin/mount.nfs from mounting a filesystem on the file or directory "" of type "mount_t". By default SELinux limits the mounting of filesystems to only some files or directories (those with types that have the mountpoint attribute). The type "mount_t" does not have this attribute. You can either relabel the file or directory or set the boolean "allow_mount_anyfile" to true to allow mounting on any file or directory." Version-Release number of selected component (if applicable): setroubleshoot-1.0-1 selinux-policy-targeted-2.3.18-10 nfs-utils-1.0.9-8.fc6 autofs-5.0.1-0.rc2.17 kernel-2.6.18-1.2798.fc6 How reproducible: Mostly, not always: most predictably on a second or third mount from the same host. Steps to Reproduce: 1. Set up an automount from a remote nfs server. 2. Access the /auto/ mountpoint. 3. Wait for sealert analysis of error. Actual results: Warning about file context. Expected results: Warning about... something else. Additional info: