Bug 498644

Summary: SELinux prevented mount from mounting on the file or directory "/proc/xen" (type "proc_xen_t").
Product: [Fedora] Fedora Reporter: Jerry Amundson <jamundso>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, eparis, mgrepl, sdsmall
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-01 17:59:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jerry Amundson 2009-05-01 16:00:37 UTC 
Description of problem:
SELinux prevented mount from mounting on the file or directory "/proc/xen" (type "proc_xen_t"). 

Version-Release number of selected component (if applicable):
Source RPM Packages           util-linux-ng-2.14.2-8.fc11
Policy RPM                    selinux-policy-3.6.12-23.fc11

How reproducible:
once

Steps to Reproduce:
1.started xend
2.[ yes, i'm running myoung's dom0 kernel ]
3.
  
Actual results:
avc and error with suggested fix:
# chcon -t mnt_t /proc/xen
chcon: failed to change context of `/proc/xen' to `system_u:object_r:mnt_t:s0': Operation not supported

Expected results:
no avc or error

Additional info:

Summary:

SELinux prevented mount from mounting on the file or directory "/proc/xen" (type
"proc_xen_t").

Detailed Description:

SELinux prevented mount from mounting a filesystem on the file or directory
"/proc/xen" of type "proc_xen_t". By default SELinux limits the mounting of
filesystems to only some files or directories (those with types that have the
mountpoint attribute). The type "proc_xen_t" does not have this attribute. You
can change the label of the file or directory.

Allowing Access:

Changing the file_context to mnt_t will allow mount to mount the file system:
"chcon -t mnt_t '/proc/xen'." You must also change the default file context
files on the system in order to preserve them even on a full relabel. "semanage
fcontext -a -t mnt_t '/proc/xen'"

Fix Command:

chcon -t mnt_t '/proc/xen'

Additional Information:

Source Context                unconfined_u:system_r:mount_t:s0
Target Context                system_u:object_r:proc_xen_t:s0
Target Objects                /proc/xen [ dir ]
Source                        mount
Source Path                   /bin/mount
Port                          <Unknown>
Host                          jerry-opti755
Source RPM Packages           util-linux-ng-2.14.2-8.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-23.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   mounton
Host Name                     jerry-opti755
Platform                      Linux jerry-opti755
                              2.6.30-0.1.2.21.rc3.xendom0.fc12.x86_64 #1 SMP Fri
                              Apr 24 18:41:27 EDT 2009 x86_64 x86_64
Alert Count                   4
First Seen                    Thu 30 Apr 2009 01:59:08 PM CDT
Last Seen                     Thu 30 Apr 2009 02:00:22 PM CDT
Local ID                      802ce6f8-04a1-4bd5-b3b8-fb41aa49d793
Line Numbers                  

Raw Audit Messages            

node=jerry-opti755 type=AVC msg=audit(1241118022.211:36689): avc:  denied  { mounton } for  pid=3358 comm="mount" path="/proc/xen" dev=proc ino=4026531946 scontext=unconfined_u:system_r:mount_t:s0 tcontext=system_u:object_r:proc_xen_t:s0 tclass=dir

node=jerry-opti755 type=SYSCALL msg=audit(1241118022.211:36689): arch=c000003e syscall=165 success=no exit=-13 a0=7fad767e35b0 a1=7fad767e4a50 a2=7fad767e5bb0 a3=ffffffffc0ed0001 items=0 ppid=3355 pid=3358 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:system_r:mount_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-05-01 17:24:46 UTC 
Not sure this makes any sense, so I added SELinux kernel developers to look at it.
Comment 2 Stephen Smalley 2009-05-01 17:33:39 UTC 
Assuming that it is normal for userspace to mount something on top of /proc/xen, then this just requires a policy change to allow mounton permission to proc_xen_t:dir.
Relabeling /proc/xen via chcon doesn't make sense, but I assume setroubleshoot was just going with the same guidance it would give for a mount on a real filesystem.
Comment 3 Daniel Walsh 2009-05-01 17:39:45 UTC 
That is my question, does it make any sense to mount a file system on /proc/xen?
Comment 4 Daniel Walsh 2009-05-01 17:59:23 UTC 
Fixed in selinux-policy-3.6.12-27.fc11.noarch

I will allow it.
Comment 5 Jerry Amundson 2009-05-01 18:01:40 UTC 
Blech. Never mind, this is user error. I was testing ideas on why my dom0 wasn't working - now that go back through the shell history, I see "mount -t xenfs xen /proc/xen" as root. Oops. Sorry for the noise.