Bug 466778

Summary: avc: denied write comm="umount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: autofsAssignee: Jeff Moyer <jmoyer>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 8CC: dwalsh, ikent, jmoyer
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-15 20:14:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2008-10-13 15:40:05 UTC 
Seeing lots of:

Oct 13 09:31:00 makani kernel: type=1400 audit(1223911860.885:106): avc:  denied  { write }for  pid=19680 comm="umount" path=2F7661722F6366656E67696E652F6F7574707574732F63665F6D616B616E695F636F72615F6E7772615F636F6D5F323030382D31302D31322D2D31352D30302D30325F31323233383435323032202864656C6574656429 dev=sda6 ino=63815 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

Version-Release number of selected component (if applicable):
autofs-5.0.2-29
selinux-policy-3.0.8-117.fc8
Comment 1 Ian Kent 2008-10-14 12:25:13 UTC 
Isn't this the same as bug 390591?
Comment 2 Daniel Walsh 2008-10-15 14:22:48 UTC 
Certainly looks like a leaked file descriptor.  Although there is a log file with a space in the name?

ausearch -i -M avc

will translate the path above.
Comment 3 Orion Poplawski 2008-10-15 16:03:09 UTC 
ausearch -i -m avc -if /var/log/messages | grep umount

type=AVC msg=audit(10/13/2008 08:03:17.848:98) : avc:  denied  { write } for  pid=14546 comm=umount path=/var/cfengine/outputs/cf_makani_cora_nwra_com_2008-10-12--15-00-02_1223845202 (deleted) dev=sda6 ino=63815 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

Okay, I think I know what's going on.  autofs has been crashing and I have configured cfengine to restart autofs if it died.  So the leaked mount descriptors are going to the cfengine log.  But it still seems a little different than 390591 since that is a "read" denial.  This also may be more a cfengine issue than autofs.
Comment 4 Daniel Walsh 2008-10-15 20:14:25 UTC 
Yes the problem is cfengine is leaking the file descriptor to autofs which is leaking to mount.

Fix cfengine or add a local customization.