Bug 290941

Summary: SELinux is preventing /usr/bin/runcon (unconfined_execmem_t) "transition" to /bin/umount (unconfined_t).
Product: [Fedora] Fedora Reporter: Dag Bjerkeli <dag>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: 7   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-21 18:05:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Entries in /var/log/messages from reoot of 14th sep. none

Description Dag Bjerkeli 2007-09-14 14:58:48 UTC 
Description of problem:
I'm getting a SElinux denial when rebooting system.

Version-Release number of selected component (if applicable):


How reproducible:
Looks like everytime I reboot the system

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
I have some NFS shares that I mount in /etc/fstab, its those that triggers
SElinux. At least thats what it lookslike for me.

Here is the output from setroubleshooter browser regarding the entry:

Source Context:  user_u:system_r:unconfined_execmem_t
Target Context:  user_u:system_r:unconfined_t
Target Objects:  /bin/umount [ process ]
Affected RPM Packages:  coreutils-6.9-3.fc7
[application]util-linux-2.13-0.54.fc7 [target]
Policy RPM:  selinux-policy-2.6.4-40.fc7
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall
Host Name:  dag.inputdata.no
Platform:  Linux dag.inputdata.no 2.6.22.5-76.fc7 #1 SMP Thu Aug 30 13:47:21 EDT
2007 i686 i686
Alert Count:  6
First Seen:  tir 14-08-2007 15:30:29 CEST
Last Seen:  fre 14-09-2007 16:42:22 CEST
Local ID:  d6a665be-1cfb-4d63-9efb-5adcd9a1eebb
Line Numbers:  
Raw Audit Messages :
avc: denied { transition } for comm="runcon" dev=dm-0 egid=0 euid=0
exe="/usr/bin/runcon" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="umount"
path="/bin/umount" pid=4039 scontext=user_u:system_r:unconfined_execmem_t:s0
sgid=0 subj=user_u:system_r:unconfined_execmem_t:s0 suid=0 tclass=process
tcontext=user_u:system_r:unconfined_t:s0 tty=pts0 uid=0
Comment 1 Daniel Walsh 2007-09-14 17:40:13 UTC 
What is executing runcon?  Nothing should be running this?
Comment 2 Dag Bjerkeli 2007-09-18 08:11:21 UTC 
Created attachment 198211 [details]
Entries in /var/log/messages from reoot of 14th sep.
Comment 3 Dag Bjerkeli 2007-09-18 08:13:42 UTC 
I'm getting these entries when I'm rebooting the system. I've attached some
output from /var/log/messages.
Comment 4 Daniel Walsh 2007-09-18 15:14:01 UTC 
grep runcon /etc/rc.d/init.d/*

Something is running runcon which should not.
Comment 5 Dag Bjerkeli 2007-09-20 06:16:05 UTC 
[root@dag ~]# grep runcon /etc/rc.d/init.d/*
/etc/rc.d/init.d/vmware:      runcon -t $context -- $command
Comment 6 Daniel Walsh 2007-09-21 18:05:38 UTC 
This is a bug in vmware.  It should not be executing runcon in a script.

Please report this to them, and add me to the list.  If you remove the runcon
and only run $command does it work?
Comment 7 Dag Bjerkeli 2007-09-24 07:14:02 UTC 
Thanks, I've modified the script as you suggested, and the warning were gone
from messages.  I could not find anything that indicated that I've run into a
different problem. So I'll file a bug at VMware.