Bug 617344

Summary: SELinux is preventing /bin/mount "ioctl" access to device /dev/sdc1.
Product: [Fedora] Fedora Reporter: Tobias Mueller <fedora-bugs>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: dwalsh, eparis, fedora-bugs, jmorris, mgrepl, sdsmall
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:ac803bf12bdea112a66c7c68f289c6f3c21590fe501864d294d1246477acdcaf
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-03 15:59:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tobias Mueller 2010-07-22 19:33:24 UTC
Summary:

SELinux is preventing /bin/mount "ioctl" access to device /dev/sdc1.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux has denied mount "ioctl" access to device /dev/sdc1. /dev/sdc1 is
mislabeled, this device has the default label of the /dev directory, which
should not happen. All Character and/or Block Devices should have a label. You
can attempt to change the label of the file using restorecon -v '/dev/sdc1'. If
this device remains labeled device_t, then this is a bug in SELinux policy.
Please file a bg report. If you look at the other similar devices labels, ls -lZ
/dev/SIMILAR, and find a type that would work for /dev/sdc1, you can use chcon
-t SIMILAR_TYPE '/dev/sdc1', If this fixes the problem, you can make this
permanent by executing semanage fcontext -a -t SIMILAR_TYPE '/dev/sdc1' If the
restorecon changes the context, this indicates that the application that created
the device, created it without using SELinux APIs. If you can figure out which
application created the device, please file a bug report against this
application.

Allowing Access:

Attempt restorecon -v '/dev/sdc1' or chcon -t SIMILAR_TYPE '/dev/sdc1'

Additional Information:

Source Context                system_u:system_r:mount_t:s0
Target Context                system_u:object_r:device_t:s0
Target Objects                /dev/sdc1 [ blk_file ]
Source                        mount
Source Path                   /bin/mount
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           util-linux-ng-2.17.2-5.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-33.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   device
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.6-147.fc13.x86_64 #1 SMP Tue
                              Jul 6 22:32:17 UTC 2010 x86_64 x86_64
Alert Count                   43
First Seen                    Do 17 Jun 2010 20:52:12 CEST
Last Seen                     Do 22 Jul 2010 10:47:25 CEST
Local ID                      2c9eedcc-4423-4c0d-8bc8-f95e1cc6d933
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1279788445.244:30238): avc:  denied  { ioctl } for  pid=10564 comm="mount" path="/dev/sdc1" dev=devtmpfs ino=29156504 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file

node=(removed) type=SYSCALL msg=audit(1279788445.244:30238): arch=c000003e syscall=16 success=no exit=-22 a0=4 a1=5331 a2=0 a3=1 items=0 ppid=10551 pid=10564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)



Hash String generated from  device,mount,mount_t,device_t,blk_file,ioctl
audit2allow suggests:

#============= mount_t ==============
allow mount_t device_t:blk_file ioctl;

Comment 1 Daniel Walsh 2010-07-22 20:34:21 UTC
Somehow /dev/sdc1 got mislabeled.

Any idea how this device got created?  If udev created it, the label would be correct.  Are you using some third party tool to add mount devices?

Comment 2 Tobias Mueller 2010-07-22 21:26:03 UTC
Same bug as bug 605771, I guess.

I have an external harddrive attached via FireWire. I suspended using pm-suspend, because the GUI tool doesn't offer a "suspend in 30 minutes". I don't think the GUI tools triggers this alert.

And no, I'm not using anything fancy. I have the harddrive in my fstab though. And it gets mounted several times.
$ mount | grep Free
/dev/sdb1 on /media/FreeAgent750 type ext3 (rw,noatime)
/dev/sdc1 on /media/FreeAgent750 type ext3 (rw,noatime)

I also received an Oops about a slowpath (after resume, that is):

ata2: SATA link down (SStatus 0 SControl 300)
ata5: SATA link down (SStatus 0 SControl 300)
ata3: SATA link down (SStatus 0 SControl 300)
ata6: SATA link down (SStatus 0 SControl 300)
ata4: SATA link down (SStatus 0 SControl 300)
ata8: SATA link down (SStatus 0 SControl 300)
ata7: SATA link down (SStatus 0 SControl 300)
usb 1-3: reset high speed USB device using ehci_hcd and address 2
sd 0:0:0:0: [sda] Starting disk
firewire_core: rediscovered device fw0
ata1: softreset failed (device not ready)
ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 300)
ata1.00: configured for UDMA/133
usb 8-1: reset full speed USB device using uhci_hcd and address 2
PM: resume of devices complete after 11093.000 msecs
PM: Finishing wakeup.
Restarting tasks ... done.
sd 11:0:0:0: [sdb] Stopping disk
sd 11:0:0:0: [sdb] START_STOP FAILED
sd 11:0:0:0: [sdb] Result: hostbyte=DID_BUS_BUSY driverbyte=DRIVER_OK
firewire_sbp2: released fw1.0, target 11:0:0
scsi99 : SBP-2 IEEE-1394
firewire_core: created device fw1: GUID 0020370100002bca, S400, 1 config ROM retries
firewire_core: phy config: card 0, new root=ffc0, gap_count=5
[drm:drm_mode_getfb] *ERROR* invalid framebuffer id
firewire_sbp2: fw1.0: logged in to LUN 0000 (0 retries)
scsi 99:0:0:0: Direct-Access     Seagate  FreeAgent Pro    4109 PQ: 0 ANSI: 4
sd 99:0:0:0: Attached scsi generic sg2 type 0
sd 99:0:0:0: [sdc] 1465149168 512-byte logical blocks: (750 GB/698 GiB)
sd 99:0:0:0: [sdc] Write Protect is off
sd 99:0:0:0: [sdc] Mode Sense: 1c 00 00 00
sd 99:0:0:0: [sdc] Cache data unavailable
sd 99:0:0:0: [sdc] Assuming drive cache: write through
sd 99:0:0:0: [sdc] Cache data unavailable
sd 99:0:0:0: [sdc] Assuming drive cache: write through
 sdc:
EXT3-fs error (device sdb1): ext3_find_entry: reading directory #2 offset 0
ATL1E 0000:02:00.0: irq 32 for MSI/MSI-X
ADDRCONF(NETDEV_UP): eth0: link is not ready
ATL1E 0000:02:00.0: ATL1E: eth0 NIC Link is Up<100 Mbps Full Duplex>
ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
 sdc1
EXT3-fs error (device sdb1): ext3_find_entry: reading directory #24682498 offset 0
------------[ cut here ]------------
WARNING: at fs/buffer.c:1159 mark_buffer_dirty+0x2b/0x86()
Hardware name: P5QL-E
Modules linked in: gspca_stv0680 gspca_main videodev v4l1_compat v4l2_compat_ioctl32 vfat fat fuse ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat bridge stp llc sunrpc cpufreq_ondemand acpi_cpufreq freq_table nf_conntrack_tftp nf_conntrack_netbios_ns ip6t_REJECT ip6t_ipv6header nf_conntrack_ipv6 ip6table_filter ip6_tables ipv6 ext2 uinput snd_hda_codec_atihdmi snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd iTCO_wdt atl1e iTCO_vendor_support asus_atk0110 soundcore i2c_i801 microcode snd_page_alloc xfs exportfs aes_x86_64 aes_generic xts gf128mul dm_crypt firewire_sbp2 pata_acpi firewire_ohci ata_generic usb_storage firewire_core crc_itu_t pata_jmicron radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core [last unloaded: scsi_wait_scan]
Pid: 9129, comm: source:src Not tainted 2.6.33.6-147.fc13.x86_64 #1
Call Trace:
 [<ffffffff8104aecc>] warn_slowpath_common+0x77/0x8f
 [<ffffffff8104aef3>] warn_slowpath_null+0xf/0x11
 [<ffffffff811211b3>] mark_buffer_dirty+0x2b/0x86
 [<ffffffff81163a24>] ext3_commit_super.clone.0+0x54/0x64
 [<ffffffff81163ac4>] ext3_handle_error+0x90/0xb7
 [<ffffffff81163e70>] ext3_error+0x76/0x81
 [<ffffffff810641f3>] ? wake_bit_function+0x0/0x2e
 [<ffffffff811607cc>] ext3_find_entry+0x215/0x3df
 [<ffffffff811c2f43>] ? avc_has_perm+0x57/0x69
 [<ffffffff81161229>] ext3_lookup+0x34/0xea
 [<ffffffff81109303>] do_lookup+0xf0/0x186
 [<ffffffff811c49b8>] ? selinux_inode_permission+0x3b/0x40
 [<ffffffff8110aec0>] link_path_walk+0x244/0x598
 [<ffffffff8110b39b>] path_walk+0x64/0xd4
 [<ffffffff8110b51b>] do_path_lookup+0x25/0x88
 [<ffffffff8110c1d1>] do_filp_open+0xf8/0xad5
 [<ffffffff8120395d>] ? might_fault+0x1c/0x1e
 [<ffffffff81114fdd>] ? alloc_fd+0x76/0x11f
 [<ffffffff810ff79a>] do_sys_open+0x5e/0x10a
 [<ffffffff810ff86f>] sys_open+0x1b/0x1d
 [<ffffffff81009b02>] system_call_fastpath+0x16/0x1b
---[ end trace 5507e3f6871933b7 ]---
sd 99:0:0:0: [sdc] Cache data unavailable
sd 99:0:0:0: [sdc] Assuming drive cache: write through
sd 99:0:0:0: [sdc] Attached SCSI disk
eth0: no IPv6 routers present
kjournald starting.  Commit interval 5 seconds
EXT3-fs (sdc1): warning: maximal mount count reached, running e2fsck is recommended
EXT3-fs (sdc1): using internal journal
EXT3-fs (sdc1): recovery complete
EXT3-fs (sdc1): mounted filesystem with ordered data mode
SELinux: initialized (dev sdc1, type ext3), uses xattr

Comment 3 Daniel Walsh 2010-07-23 11:15:51 UTC
ls -lZ /dev/sdc1

What is the label now?

Comment 4 Tobias Mueller 2010-07-23 12:58:31 UTC
Hm. "now" is now after another pm-suspend. The resume went well, i.e. w/o any error reports.

$ ls -lZ /dev/sdc1
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdc1

Comment 5 Daniel Walsh 2010-07-28 17:08:08 UTC
It seems like a race condition.  I am wondering if the device driver is creating the /dev/sdc1 device and then udev realizes there is a new device and fixes the label.  If mount happens in during this time, it will generate the AVC.

Comment 6 Daniel Walsh 2010-08-20 10:06:30 UTC
Are you still seeing this problem?

Comment 7 Tobias Mueller 2010-08-20 13:11:10 UTC
Yes. With 
Name        : selinux-policy
Arch        : noarch
Version     : 3.7.19
Release     : 47.fc13

Comment 8 Daniel Walsh 2010-08-21 10:38:35 UTC
Miroslav  could you add

ifdef(`hide_broken_symptoms',`
	dev_rw_generic_blk_files(mount_t)
')


########################################
## <summary>
##	Read and write generic block device files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dev_rw_generic_blk_files',`
	gen_require(`
		type device_t;
	')

	allow $1 device_t:blk_file rw_chr_file_perms;
')