Bug 216625
| Summary: | SELinux prevents ntfs-3g filesystem from being mounted at boot | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Monniaux <david.monniaux> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6 | CC: | dwalsh, n0dalus+redhat, stefmanos, szaka, triage |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | bzcl34nup | ||
| Fixed In Version: | Current | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-04-08 02:19:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I can confirm that. Trying to mount an NTFS partition with ntfs-3g via fstab is not possible while mounting manually works well. Fixed in selinux-policy-2.4.5-3.fc6 The problem still occurs
Logged:
Dec 1 21:25:43 localhost kernel: audit(1165004740.658:1854): avc: denied {
execute_no_trans } for pid=2642 comm="mount.ntfs-3g" name="fusermount" dev=sda3
ino=3116077 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:mount_exec_t:s0 tclass=file
$ rpm -qi selinux-policy
Name : selinux-policy Relocations: (not relocatable)
Version : 2.4.5 Vendor: Red Hat, Inc.
Release : 3.fc6 Build Date: jeu 23 nov 2006 13:27:27 CET
Still occurs with selinux-policy 2.4.6 1.fc6 Are you seeing different avc messages? $ rpm -qi selinux-policy
Name : selinux-policy Relocations: (not relocatable)
Version : 2.4.6 Vendor: Red Hat, Inc.
Release : 1.fc6 Build Date: mer 29 nov 2006 21:36:17 CET
Dec 16 11:33:27 localhost kernel: audit(1166265206.083:9): avc: denied { read
write } for pid=2659 comm="fusermount" name="fuse" dev=tmpfs ino=1644
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=chr_file
Dec 16 11:33:27 localhost kernel: SELinux: initialized (dev autofs, type
autofs), uses genfs_contexts
Sounds like SElinux gets initialized after the local filesystems try getting
mounted?
I also have this problem, using selinux-policy-2.4.6-7.fc6.
Here is the SELinux messages from boot.
Dec 18 17:20:17 agent kernel: SELinux: Initializing.
Dec 18 17:20:17 agent kernel: SELinux: Starting in permissive mode
Dec 18 17:20:18 agent kernel: SELinux: Registering netfilter hooks
Dec 18 17:20:18 agent kernel: SELinux: Completing initialization.
Dec 18 17:20:18 agent kernel: SELinux: Setting up existing superblocks.
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev dm-2, type ext3), uses xattr
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev usbfs, type usbfs), uses
genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev debugfs, type debugfs),
uses genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev selinuxfs, type
selinuxfs), uses genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev mqueue, type mqueue),
uses transition SIDs
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev hugetlbfs, type
hugetlbfs), uses genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev devpts, type devpts),
uses transition SIDs
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev eventpollfs, type
eventpollfs), uses task SIDs
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev inotifyfs, type
inotifyfs), uses genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev futexfs, type futexfs),
uses genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev pipefs, type pipefs),
uses task SIDs
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev sockfs, type sockfs),
uses task SIDs
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev cpuset, type cpuset),
not configured for labeling
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev proc, type proc), uses
genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev bdev, type bdev), uses
genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev rootfs, type rootfs),
uses genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev sysfs, type sysfs), uses
genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev ramfs, type ramfs), uses
genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev hda2, type ext3), uses xattr
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev dm-0, type ext3), uses xattr
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev dm-1, type ext3), uses xattr
Dec 18 17:20:18 agent kernel: audit(1166424605.834:4): avc: denied { read
write } for pid=1546 comm="fusermount" name="fuse" dev=tmpfs ino=1573
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=chr_file
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev binfmt_misc, type
binfmt_misc), uses genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev rpc_pipefs, type
rpc_pipefs), uses genfs_contexts
Dec 18 17:20:18 agent kernel: audit(1166424617.884:8): avc: denied { read
write } for pid=2229 comm="fusermount" name="fuse" dev=tmpfs ino=1573
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=chr_file
Dec 18 17:20:19 agent kernel: SELinux: initialized (dev autofs, type autofs),
uses genfs_contexts
Just add local policy for this for now. I think we need different policy for fusermount from mount. audit2allow -M local < /var/log/audit/audit.log # grep fusermount /var/log/messages.1|audit2allow
allow mount_t fixed_disk_device_t:chr_file { read write };
Should be fixed for RHEL5 and FC6 by selinux-policy-2.4.6-23. I guess also the umount problems. Could you please confirm? Thanks. fixed in selinux-policy-2.4.6-49 Fedora apologizes that these issues have not been resolved yet. We're sorry it's taken so long for your bug to be properly triaged and acted on. We appreciate the time you took to report this issue and want to make sure no important bugs slip through the cracks. If you're currently running a version of Fedora Core between 1 and 6, please note that Fedora no longer maintains these releases. We strongly encourage you to upgrade to a current Fedora release. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained and closing them. http://fedoraproject.org/wiki/LifeCycle/EOL If this bug is still open against Fedora Core 1 through 6, thirty days from now, it will be closed 'WONTFIX'. If you can reporduce this bug in the latest Fedora version, please change to the respective version. If you are unable to do this, please add a comment to this bug requesting the change. Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we are following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. And if you'd like to join the bug triage team to help make things better, check out http://fedoraproject.org/wiki/BugZappers |
Description of problem: SELinux prevents ntfs-3g from being mounted at boot. Version-Release number of selected component (if applicable): fuse-2.5.3 ntfs-3g-0-0.5.20070920 How reproducible: Always Steps to Reproduce: 1. Insert a NTFS filesystem line in /etc/fstab as such: /dev/sda2 /xp/c ntfs-3g uid=500,gid=500 0 0 2. Reboot 3. Actual results: Filesystem not mounted, /var/log/messages contains a SELinux error message: Nov 20 23:05:53 localhost kernel: audit(1164060319.334:8): avc: denied { execute_no_trans } for pid=1836 comm="mount.ntfs-3g" name="fusermount" dev=sda3 ino=3116154 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file Expected results: The filesystem should be mounted. Additional info: sudo mount /xp/c works perfectly. The problem only appears at boot.