Bug 500943
| Summary: | SELinux is preventing mount (mount_t) "read" sysfs_t | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ralf Corsepius <rc040203> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 11 | CC: | dwalsh, holler, jwest, mgrepl |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-01-20 09:28:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 517000 | ||
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping I'm getting the same audit messages with F11. Output from sealert:
Summary:
SELinux is preventing mount (mount_t) "read" sysfs_t.
Detailed Description:
...
Additional Information:
Source Context system_u:system_r:mount_t:s0-s0:c0.c1023
Target Context system_u:object_r:sysfs_t:s0
Target Objects /sys/block/dm-10 [ lnk_file ]
Source mount
Source Path /bin/mount
Port <Unknown>
Host krabat.ahsoftware
Source RPM Packages util-linux-ng-2.14.2-9.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.12-69.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name krabat.ahsoftware
Platform Linux krabat.ahsoftware
2.6.29.6-217.2.3.fc11.x86_64 #1 SMP Wed Jul 29
16:02:42 EDT 2009 x86_64 x86_64
Alert Count 20
First Seen Mon Jul 27 11:18:25 2009
Last Seen Sat Aug 8 18:21:07 2009
Local ID 4e8e103c-8546-4172-b63b-bc6efdabb21e
Line Numbers
Raw Audit Messages
node=krabat.ahsoftware type=AVC msg=audit(1249748467.276:116): avc: denied { read } for pid=2958 comm="mount" name="dm-10" dev=sysfs ino=7859 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file
node=krabat.ahsoftware type=SYSCALL msg=audit(1249748467.276:116): arch=c000003e syscall=2 success=no exit=-13 a0=7fff4dd5ae00 a1=90800 a2=7fff4dd5ae17 a3=fffffffb items=0 ppid=2956 pid=2958 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
Fixed in selinux-policy-3.6.26-9.fc12.noarch Reopening, this bug was filed against FC11. Fixed RAWHIDE is not a solution Miroslav add dev_read_sysfs(mount_t) Fixed in selinux-policy-3.6.12-75.fc11 Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed. |
Description of problem: Whenever I plug-in a wired ethernet to a system running NetworkManager, I am observing a series of SELinux alerts similar to this: May 15 05:02:09 columbo setroubleshoot: SELinux is preventing mount (mount_t) "read" sysfs_t. For complete SELinux messages. run sealert -l 5b990766-fdec-44bb-9960-1cb30c15597e May 15 05:02:10 columbo setroubleshoot: SELinux is preventing mount (mount_t) "read" sysfs_t. For complete SELinux messages. run sealert -l 3f7edc52-ce3e-4681-a8ec-769dfdabff9b May 15 05:02:11 columbo setroubleshoot: SELinux is preventing mount (mount_t) "read" sysfs_t. For complete SELinux messages. run sealert -l 7b00c48a-9845-4786-aaa2-24f99dab8d44 May 15 05:02:12 columbo setroubleshoot: SELinux is preventing mount (mount_t) "read" sysfs_t. For complete SELinux messages. run sealert -l abab990d-1af2-4c44-9436-ec4e74a14a64 May 15 05:02:12 columbo setroubleshoot: SELinux is preventing mount (mount_t) "read" sysfs_t. For complete SELinux messages. run sealert -l 3f7edc52-ce3e-4681-a8ec-769dfdabff9b May 15 05:02:13 columbo setroubleshoot: SELinux is preventing mount (mount_t) "read" sysfs_t. For complete SELinux messages. run sealert -l 7b00c48a-9845-4786-aaa2-24f99dab8d44 Version-Release number of selected component (if applicable): selinux-policy-targeted-3.6.12-34.fc11.noarch selinux-policy-3.6.12-34.fc11.noarch How reproducible: Always, on one machine. On a second (different) machine with a very similar setup, this doesn't happen. Steps to Reproduce: 1. Boot machine, login 2. unplug ethernet cable, wait for a couple of minutes 3. plug in ethernet cable Actual results: Sealerts pop up. Expected results: No alerts. Additional info: * All sealerts contain something similar to this, except that individual sealerts refer to other "dm-X" (dm-0 .. dm-3): ... Raw Audit Messages node=columbo type=AVC msg=audit(1242356523.274:203): avc: denied { read } for pid=1252 comm="mount" name="dm-3" dev=sysfs ino=7197 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file node=columbo type=SYSCALL msg=audit(1242356523.274:203): arch=40000003 syscall=5 success=no exit=-13 a0=bf95fa0c a1=98800 a2=8e1100 a3=bf95fa0c items=0 ppid=1230 pid=1252 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) ... Unfortunately this leaves me rather clueless. * touch .autorelabel + reboot does not help.