Bug 437282

Summary: selinux denial on latest fuse update
Product: [Fedora] Fedora Reporter: Bradley <bbaetz>
Component: fuseAssignee: Peter Lemenkov <lemenkov>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 8CC: fatkasuvayu, jones.peter, monakhv, redhat-bugzilla, robatino, tcallawa, webmaster
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-15 15:47:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bradley 2008-03-13 11:42:33 UTC 
Description of problem:

Latest fuse update (fuse-2.7.3-2.fc8) now runs an initscript. With selinux, this
fails.

Version-Release number of selected component (if applicable):

fuse-2.7.3-2.fc8
selinux-policy-3.0.8-87.fc8

How reproducible:

Always

Steps to Reproduce:

[root@plum ~]# /etc/rc.d/init.d/fuse start
  
Actual results:

Loading fuse module.
Mounting fuse control filesystem failed!

fusectl not mounted

Expected results:

No error

Additional info:

mount -t fusectl fusectl /sys/fs/fuse/connections

works. strace -f on the initscript call shows the failing call is

4047  mount("fusectl", "/sys/fs/fuse/connections", "fusectl"..., MS_MGC_VAL,
NULL) = -1 EACCES (Permission denied)

sealert applet says:

Summary:

SELinux is preventing mount (mount_t) "mount" to / (unlabeled_t).

Detailed Description:

SELinux denied access requested by mount. It is not expected that this access is
required by mount and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:mount_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                / [ filesystem ]
Source                        mount
Source Path                   /bin/mount
Port                          <Unknown>
Host                          plum.home
Source RPM Packages           util-linux-ng-2.13.1-1.fc8
Target RPM Packages           filesystem-2.4.11-1.fc8
Policy RPM                    selinux-policy-3.0.8-87.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     plum.home
Platform                      Linux plum.home 2.6.24.3-12.fc8 #1 SMP Tue Feb 26
                              14:21:30 EST 2008 x86_64 x86_64
Alert Count                   4
First Seen                    Thu 13 Mar 2008 22:35:48 EST
Last Seen                     Thu 13 Mar 2008 22:37:39 EST
Local ID                      35c4e379-a969-48c6-b501-05836c7bced1
Line Numbers                  

Raw Audit Messages            

host=plum.home type=AVC msg=audit(1205408259.985:53): avc:  denied  { mount }
for  pid=4047 comm="mount" name="/" dev=fusectl ino=1
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=filesystem

host=plum.home type=SYSCALL msg=audit(1205408259.985:53): arch=c000003e
syscall=165 success=no exit=-13 a0=2aaaaacd9d10 a1=2aaaaacdb0d0 a2=2aaaaacdb100
a3=ffffffffc0ed0001 items=0 ppid=4032 pid=4047 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 comm="mount" exe="/bin/mount"
subj=system_u:system_r:mount_t:s0 key=(null)
Comment 1 Adrian 2008-03-13 21:08:08 UTC 
I am experiencing the same problem.
Comment 2 Peter Lemenkov 2008-03-14 09:58:22 UTC 
*** Bug 437420 has been marked as a duplicate of this bug. ***
Comment 3 Dmitry Monakhov 2008-03-14 14:27:26 UTC 
I have the same problem.
Comment 4 Jon Riding 2008-03-14 17:31:41 UTC 
Same here. Worked around with:

# grep mount /var/log/messages | audit2allow -M mymount
# semodule -i mymount.pp
Comment 5 Ilya Ryabinkin 2008-03-14 21:38:11 UTC 
I confirm the bug
Comment 6 Kevin R. Page 2008-03-15 14:04:09 UTC 
This is probably a problem with SELinux policy - could the reporter reassigned
the bug to the selinux-policy component, please? This should ensure it's dealt
with promptly.
Comment 7 Jonathan Underwood 2008-03-15 15:47:23 UTC 
Actually I just reported this as a bug against SElinux before I stumbled across
this report.

https://bugzilla.redhat.com/show_bug.cgi?id=437634

Will mark this bug as a duplicate of 437634 even though this bug was reported first.



*** This bug has been marked as a duplicate of 437634 ***
Comment 8 Suvayu 2008-03-17 14:37:04 UTC 
I got this exact same problem after the last system update.

during system boot i get,
fuse control file system failure