Bug 447967

Summary: selinux-policy-targeted causes violation when unmounting with hal
Product: [Fedora] Fedora Reporter: Eric Mertens <emertens>
Component: halAssignee: David Zeuthen <davidz>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 9CC: jkubin, mclasen, pertusus
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-23 16:04:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Mertens 2008-05-22 17:43:46 UTC 
Description of problem:
When I eject a CD, I get the following SELinux warning. This behavior is new
starting with selinux-policy-targeted-3.3.1-51.fc9.noarch

Following this setroubleshoot output you will find an IRC conversation
transcript that might contain additional information to help solve this.

Summary:

SELinux prevented umount from mounting on the file or directory
"/media/.hal-mtab-lock" (type "mnt_t").

Detailed Description:

SELinux prevented umount from mounting a filesystem on the file or directory
"/media/.hal-mtab-lock" of type "mnt_t". By default SELinux limits the mounting
of filesystems to only some files or directories (those with types that have the
mountpoint attribute). The type "mnt_t" does not have this attribute. You can
either relabel the file or directory or set the boolean "allow_mount_anyfile" to
true to allow mounting on any file or directory.

Allowing Access:

Changing the "allow_mount_anyfile" boolean to true will allow this access:
"setsebool -P allow_mount_anyfile=1."

Fix Command:

setsebool -P allow_mount_anyfile=1

Additional Information:

Source Context                system_u:system_r:mount_t:s0
Target Context                system_u:object_r:mnt_t:s0
Target Objects                /media/.hal-mtab-lock [ file ]
Source                        umount
Source Path                   /bin/umount
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           util-linux-ng-2.13.1-6.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-51.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_mount_anyfile
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.25.3-18.fc9.x86_64
                              #1 SMP Tue May 13 04:54:47 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 22 May 2008 10:16:43 AM PDT
Last Seen                     Thu 22 May 2008 10:20:39 AM PDT
Local ID                      a2c68149-bf89-4e08-9efc-35a3628701be
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1211476839.344:29): avc:  denied 
{ read write } for  pid=4839 comm="umount" path="/media/.hal-mtab-lock" dev=sda3
ino=196614 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1211476839.344:29):
arch=c000003e syscall=59 success=yes exit=0 a0=403665 a1=7fff92d517d0
a2=7fff92d51e58 a3=7fff92d51180 items=0 ppid=4838 pid=4839 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="umount" exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null)


IRC Transcript:
<glguy> When ejecting a CD I get the following selinux alert "SELinux prevented
umount from mounting on the file or directory "/media/.hal-mtab-lock" (type
"mnt_t"). "   Before I click "submit" on the bug-report, is this a known issue
(I didn't see it in the bug tracker)
<domg472> hi
<domg472> can you do cat /var/log/audit/audit.log | grep mnt_t | audit2allow -R?
<domg472> should paste only a few lines
<glguy> require {\n type mount_t;\n}
<glguy> #============= mount_t ==============\nfiles_manage_mnt_files(mount_t)\n
<domg472> f9?
<glguy> yes
<domg472> can you paste this line: 
<domg472> can you do cat /var/log/audit/audit.log | grep mnt_t 
<glguy> type=AVC msg=audit(1211476603.124:28): avc:  denied  { read write } for
 pid=4641 comm="umount" path="/media/.hal-mtab-lock" dev=sda3 ino=196614
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mnt_t:s0
tclass=file
<glguy> type=AVC msg=audit(1211476839.344:29): avc:  denied  { read write } for
 pid=4839 comm="umount" path="/media/.hal-mtab-lock" dev=sda3 ino=196614
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mnt_t:s0
tclass=file
<domg472> thanks
<domg472> alright lets have a look
<domg472> first im going to see if this rule exists in policy:
<domg472> sesearch --allow -s mount_t -t mnt_t -c file
/etc/selinux/targeted/policy/policy.23
<glguy> Found 2 semantic av rules:
<glguy>    allow mount_t @ttr1392 : file { getattr mounton }; 
<glguy>    allow mount_t mnt_t : file { ioctl read getattr lock mounton };
Comment 1 Daniel Walsh 2008-05-23 16:04:02 UTC 

*** This bug has been marked as a duplicate of 447195 ***