Bug 608403

Summary: SELinux is preventing /bin/mount "getattr" access to device /dev/sdc.
Product: [Fedora] Fedora Reporter: Tobias Mueller <fedora-bugs>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:16118762bc529031d52aa64a834ce0bec10ba7fb64387a0d42542fa4fd74e583
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-28 07:06:32 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Tobias Mueller 2010-06-27 06:30:54 EDT

SELinux is preventing /bin/mount "getattr" access to device /dev/sdc.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux has denied mount "getattr" access to device /dev/sdc. /dev/sdc is
mislabeled, this device has the default label of the /dev directory, which
should not happen. All Character and/or Block Devices should have a label. You
can attempt to change the label of the file using restorecon -v '/dev/sdc'. If
this device remains labeled device_t, then this is a bug in SELinux policy.
Please file a bg report. If you look at the other similar devices labels, ls -lZ
/dev/SIMILAR, and find a type that would work for /dev/sdc, you can use chcon -t
SIMILAR_TYPE '/dev/sdc', If this fixes the problem, you can make this permanent
by executing semanage fcontext -a -t SIMILAR_TYPE '/dev/sdc' If the restorecon
changes the context, this indicates that the application that created the
device, created it without using SELinux APIs. If you can figure out which
application created the device, please file a bug report against this

Allowing Access:

Attempt restorecon -v '/dev/sdc' or chcon -t SIMILAR_TYPE '/dev/sdc'

Additional Information:

Source Context                system_u:system_r:mount_t:s0
Target Context                system_u:object_r:device_t:s0
Target Objects                /dev/sdc [ blk_file ]
Source                        mount
Source Path                   /bin/mount
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           util-linux-ng-2.17.2-5.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-28.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   device
Host Name                     (removed)
Platform                      Linux (removed) #1 SMP Fri
                              Jun 11 09:38:12 UTC 2010 x86_64 x86_64
Alert Count                   34
First Seen                    Do 17 Jun 2010 20:52:06 CEST
Last Seen                     So 27 Jun 2010 11:35:24 CEST
Local ID                      a023f1c6-74ca-4680-b292-b563b6a40d31
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1277631324.704:28245): avc:  denied  { getattr } for  pid=14677 comm="mount" path="/dev/sdc" dev=devtmpfs ino=6182187 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file

node=(removed) type=SYSCALL msg=audit(1277631324.704:28245): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fff79661c40 a2=7fff79661c40 a3=1 items=0 ppid=14665 pid=14677 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)

I was resuming my suspended machine with my external harddrive attache via FireWire.
See also bug 605771.
Hash String generated from  device,mount,mount_t,device_t,blk_file,getattr
audit2allow suggests:

#============= mount_t ==============
allow mount_t device_t:blk_file getattr;
Comment 1 Miroslav Grepl 2010-06-28 07:06:32 EDT

*** This bug has been marked as a duplicate of bug 605771 ***