Bug 249695

Summary:

new ntfs-3g fails to mount due to selinux avcs

Product:

[Fedora] Fedora

Reporter:

drago01

Component:

selinux-policy-targeted

Assignee:

Daniel Walsh <dwalsh>

Status:

CLOSED CURRENTRELEASE

QA Contact:

Ben Levenson <benl>

Severity:

medium

Docs Contact:

Priority:

low

Version:

CC:

init, joshuacov

Target Milestone:

---

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Current

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2007-09-12 17:07:54 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
fix up ntfs selinux policy	none
denied messages from log	none

Description drago01 2007-07-26 14:37:03 UTC

Description of problem:
After the ntfs-3g update to ntfs-3g-1.710-1.fc7 and fuse-2.7.0-3.fc7 my ntfs
partition is no longer mounted at boot.

Looking a dmesg I found this avc:
audit(1185459507.421:5): avc:  denied  { search } for  pid=1483
comm="mount.ntfs" name="mnt" dev=sda2 ino=3997697
scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:mnt_t:s0
tclass=dir

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.6.4-28.fc7

Additional info:

audit2allow -d:
#============= mount_ntfs_t ==============
allow mount_ntfs_t mnt_t:dir search;

Comment 1 Daniel Walsh 2007-07-26 17:17:12 UTC

Fixed in selinux-policy-targeted-2.6.4-30.fc7

Comment 2 drago01 2007-07-26 19:09:51 UTC

thx, this was fast.
when will you push this to updates(-testing?)

Comment 3 drago01 2007-07-29 09:58:44 UTC

can't even find it in cvs (only -29) ...

Comment 4 Harald 2007-07-29 14:45:59 UTC

Please also consider that the issue is not restricted to FC7 but also occurs on
FC6, anyway i was able to get a workaround running.

bug #249835 seems to handle the exact same issue, but i might have missed something.

Comment 5 Tom "spot" Callaway 2007-07-30 17:44:33 UTC

Created attachment 160257 [details]
fix up ntfs selinux policy

This patch alters the selinux policy so that ntfs-3g partitions properly
automount on systems with selinux=enabled.

Dan might be able to clean it up a bit, but I can confirm that it resolves this
bug and 249835 on F-7.

Comment 6 Tom "spot" Callaway 2007-07-30 17:45:37 UTC

*** Bug 249835 has been marked as a duplicate of this bug. ***

Comment 7 Harald 2007-07-31 18:54:47 UTC

Created attachment 160350 [details]
denied messages from log

Just in case that the messages i used to create the policy file are still of
interest. Daniel ask for them in bug #249835.

Comment 8 drago01 2007-08-01 14:37:57 UTC

(In reply to comment #1)
> Fixed in selinux-policy-targeted-2.6.4-30.fc7

compiled it from cvs and it seems that it still does not solve the problem... 
I get a different avc now:
audit(1185978767.311:4): avc:  denied  { write } for  pid=1478 comm="mount.ntfs"
name="tmp" dev=sda2 ino=1409025 scontext=system_u:system_r:mount_ntfs_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir

Comment 9 Ian Malone 2007-08-03 09:55:33 UTC

Originally added this to bug 249943, but seems more
relevant to this one.

[ian@prometheus ~]$ rpm -q selinux-policy-targeted
selinux-policy-targeted-2.6.4-30.fc7
[ian@prometheus ~]$ rpm -q selinux-policy
selinux-policy-2.6.4-30.fc7
[ian@prometheus ~]$ dmesg|grep ntfs
audit(1185991690.781:4): avc:  denied  { write } for  pid=1569
comm="mount.ntfs-3g" name="tmp" dev=dm-0 ino=507905
scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=dir
audit(1185991690.862:5): avc:  denied  { write } for  pid=1571
comm="mount.ntfs-3g" name="tmp" dev=dm-0 ino=507905
scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=dir

Comment 10 drago01 2007-08-06 22:37:42 UTC

it works for me with selinux-policy-2.6.4-33.fc7

Comment 11 Daniel Walsh 2007-09-12 17:07:54 UTC

Moving modified bugs to closed

Comment 12 Alexei Podtelezhnikov 2007-09-15 23:33:09 UTC

don't forget FC6, please.

Comment 13 Daniel Walsh 2007-09-18 13:18:01 UTC

Try selinux-policy-2.4.6-88.fc6

Comment 14 Alexei Podtelezhnikov 2007-09-19 23:51:48 UTC

Ehh. selinux-policy-2.4.6-88.fc6 is not good.
First, it fails in post-install phase like this:
 
libsepol.context_from_record: type httpd_nagios_script_exec_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert 
system_u:object_r:httpd_nagios_script_exec_t:s0 to sid
/etc/selinux/targeted/contexts/files/file_contexts:  line 270 has invalid 
context system_u:object_r:httpd_nagios_script_exec_t:s0
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule:  Failed!

Second, with enforced policy it is still denying ntfs-3g

 Sep 19 19:10:43 localhost kernel: audit(1190243431.707:4): avc:  denied  { 
search } for  pid=1739 comm="mount.ntfs-3g" name="mnt" dev=dm-0 ino=11632641 
scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:mnt_t:s0 
tclass=dir