Bug 608403
| Summary: | SELinux is preventing /bin/mount "getattr" access to device /dev/sdc. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tobias Mueller <fedora-bugs> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 13 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:16118762bc529031d52aa64a834ce0bec10ba7fb64387a0d42542fa4fd74e583 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-06-28 11:06:32 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 605771 *** |
Summary: SELinux is preventing /bin/mount "getattr" access to device /dev/sdc. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied mount "getattr" access to device /dev/sdc. /dev/sdc is mislabeled, this device has the default label of the /dev directory, which should not happen. All Character and/or Block Devices should have a label. You can attempt to change the label of the file using restorecon -v '/dev/sdc'. If this device remains labeled device_t, then this is a bug in SELinux policy. Please file a bg report. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for /dev/sdc, you can use chcon -t SIMILAR_TYPE '/dev/sdc', If this fixes the problem, you can make this permanent by executing semanage fcontext -a -t SIMILAR_TYPE '/dev/sdc' If the restorecon changes the context, this indicates that the application that created the device, created it without using SELinux APIs. If you can figure out which application created the device, please file a bug report against this application. Allowing Access: Attempt restorecon -v '/dev/sdc' or chcon -t SIMILAR_TYPE '/dev/sdc' Additional Information: Source Context system_u:system_r:mount_t:s0 Target Context system_u:object_r:device_t:s0 Target Objects /dev/sdc [ blk_file ] Source mount Source Path /bin/mount Port <Unknown> Host (removed) Source RPM Packages util-linux-ng-2.17.2-5.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-28.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name device Host Name (removed) Platform Linux (removed) 2.6.33.5-124.fc13.x86_64 #1 SMP Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64 Alert Count 34 First Seen Do 17 Jun 2010 20:52:06 CEST Last Seen So 27 Jun 2010 11:35:24 CEST Local ID a023f1c6-74ca-4680-b292-b563b6a40d31 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1277631324.704:28245): avc: denied { getattr } for pid=14677 comm="mount" path="/dev/sdc" dev=devtmpfs ino=6182187 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file node=(removed) type=SYSCALL msg=audit(1277631324.704:28245): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fff79661c40 a2=7fff79661c40 a3=1 items=0 ppid=14665 pid=14677 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) I was resuming my suspended machine with my external harddrive attache via FireWire. See also bug 605771. Hash String generated from device,mount,mount_t,device_t,blk_file,getattr audit2allow suggests: #============= mount_t ============== allow mount_t device_t:blk_file getattr;