Bug 280341
Summary: | Can not use fuse in autofs scripts | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Bill C. Riemers <briemers> |
Component: | selinux-policy | Assignee: | David Anderson <fedora-packaging2> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | 7 | CC: | dwalsh, eparis |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-01-30 19:20:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Bill C. Riemers
2007-09-06 11:57:29 UTC
Note: I notice malicious path names could cause problems with my script. So I revised it to add quotes around the variables. I do not know that much about curlftpfs. But I think it needs to be able to set a file context on the mounted file system, or add xattr support. allow automount_t fixed_disk_device_t:chr_file { read write }; This would be a very bad idea, since it allows automount to write to any disk on the machine. So curelftpfs needs to work better with selinux, either allowing the user to specifiy a default context for the mounted file system, like mount does, or support xattrs which we can assign context to. Dan, I don't understand your suggestion... curlftpfs, as the name suggests, accesses an FTP server and mounts it into the filesystem. FTP doesn't support xattrs, period ... to get xattrs you'd have to modify FTP at a protocol level, wouldn't you? Secondly - isn't this a generic problem with fuse rather than something specific to curlftpfs? I think that all the components that would do the low level stuff would be in fuse - I'm no expert though (I'm just the packager!). I think we can pretty much rule out xattr support. What char file is actually labeled fixed_disk_device_t? The raw denial message should have an inode number (use find -ino) and at least part of a path name. Maybe if we find a better way to label that char file this won't be an issue. Doesn't seem like he is complaining that the labels on the fs data are problomatic, just the char file label. I don't have any idea how this fusefs works but my assumption is that something is creating a new /dev/ file which if labeled more specifically we might be able to get working.... Isn't there a way to write the policy that only grants access to /dev/fuse to automount_t? BTW. I would expect automount_t to be able to have write access to every disk on the system, for the express purpose of mounting the disks... But in this case, I only need to grant access to one such device. If there is an selinux command I can used to change /dev/fuse that would work as well. Although, I guess the command would have to be added to the udev files. Perhaps then we might have a problem of udev not being allowed to run the appropriate SELinux command. Bill Eric: As Bill's comment implies, the only device file used by FUSE is /dev/fuse. What this means for SELinux I don't really know... Oh this is so obvious. I should have thought of it sooner: [root@hartnell tmp]# chcon --reference=$(which mount) $(which curlftpfs) [root@hartnell tmp]# ls /ftp/sunsite.unc.edu HEADER.html HEADER.images incoming pub README unc So the problem is not with the automount_t policy, but that curlftpfs is installed with the wrong security context. Assigning bug back to selinux, in light of #7. I have created a new type for /dev/fuse (fuse_dev_t) Fixed in selinux-policy-2.6.4-43.fc7.src.rpm Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen. |