Bug 564455

Summary: SELinux is preventing umount (mount_t) "read write" automount_t.
Product: [Fedora] Fedora Reporter: Jerry Amundson <jamundso>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.6.12-95.fc11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-23 23:28:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jerry Amundson 2010-02-12 19:41:10 UTC 
Description of problem:
SELinux is preventing umount (mount_t) "read write" automount_t.

Version-Release number of selected component (if applicable):
selinux-policy-3.6.12-94.fc11

How reproducible:
once

Steps to Reproduce:
1.not even sure, but seemed related to enabling Text-to-Speech (kttsd)
2.
3.
  
Actual results:
avc

Expected results:
no avc

Additional info:

Summary:

SELinux is preventing umount (mount_t) "read write" automount_t.

Detailed Description:

SELinux denied access requested by umount. It is not expected that this access
is required by umount and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:mount_t:s0
Target Context                system_u:system_r:automount_t:s0
Target Objects                socket [ udp_socket ]
Source                        umount
Source Path                   /bin/umount
Port                          <Unknown>
Host                          jerry-opti755
Source RPM Packages           util-linux-ng-2.14.2-11.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-94.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     jerry-opti755
Platform                      Linux jerry-opti755 2.6.30.10-105.2.13.fc11.x86_64
                              #1 SMP Wed Feb 3 01:58:30 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 12 Feb 2010 01:35:20 PM CST
Last Seen                     Fri 12 Feb 2010 01:35:20 PM CST
Local ID                      bcbeb702-2a7b-41f6-acd6-2f734b2e72c9
Line Numbers                  

Raw Audit Messages            

node=jerry-opti755 type=AVC msg=audit(1266003320.417:30516): avc:  denied  { read write } for  pid=26903 comm="umount" path="socket:[472534]" dev=sockfs ino=472534 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:automount_t:s0 tclass=udp_socket

node=jerry-opti755 type=SYSCALL msg=audit(1266003320.417:30516): arch=c000003e syscall=59 success=yes exit=0 a0=7f0c42abee70 a1=7f0c42abde00 a2=7f0c4ad66330 a3=7f0c42abd180 items=0 ppid=1700 pid=26903 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="umount" exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null)
Comment 1 Daniel Walsh 2010-02-13 12:58:07 UTC 
Miroslav, lets just add


ifdef(`hide_broken_symptoms', `
	dontaudit mount_t $1:unix_stream_socket { read write };
	dontaudit mount_t $1:tcp_socket  { read write };
	dontaudit mount_t $1:udp_socket { read write };
')

to mount_domtrans, since these pop up and seem to be unfixable.

Add to F11 and F12.
Comment 2 Miroslav Grepl 2010-02-15 10:51:16 UTC 
Fixed in selinux-policy-3.6.12-95.fc11 and selinux-policy-3.6.32-91.fc12
Comment 3 Fedora Update System 2010-02-19 17:11:41 UTC 
selinux-policy-3.6.12-95.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.12-95.fc11
Comment 4 Fedora Update System 2010-02-23 05:32:36 UTC 
selinux-policy-3.6.12-95.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-2591
Comment 5 Fedora Update System 2010-03-23 23:28:13 UTC 
selinux-policy-3.6.12-95.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.