Bug 644274

Summary: O SELinux está impedindo o acesso a /bin/mount "read" on sr0
Product: [Fedora] Fedora Reporter: Cássio Magno <kenmatrix>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: aquini, berrange, clalance, crobinso, dwalsh, itamar, jforbes, mgrepl, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:e074dfaadfab051a3b1ce88bbd90c9f57aba06a7aa47e1c76fa625f46d4a15d0
Fixed In Version: selinux-policy-3.9.7-7.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-01 20:51:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Cássio Magno 2010-10-19 10:08:19 UTC 
Sumário:

O SELinux está impedindo o acesso a /bin/mount "read" on sr0

Descrição detalhada:

O SELinux impediu o acesso requisitado pelo mount. Não é comum que este acesso
seja requisitado pelo mount e isto pode indicar uma tentativa de intrusão.
Também é possível que a versão ou configuração específicas do aplicativo estejam
fazendo com que o mesmo requisite o acesso adicio

Permitindo acesso:

Você pode gerar um módulo de política local para permitir este acesso - veja o
FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Por favor,
registre um relatório de erro.

Informações adicionais:

Contexto de origem            system_u:system_r:mount_t:s0-s0:c0.c1023
Contexto de destino           system_u:object_r:virt_content_t:s0
Objetos de destino            sr0 [ blk_file ]
Origem                        mount
Caminho da origem             /bin/mount
Porta                         <Desconhecido>
Máquina                       (removido)
Pacotes RPM de origem         util-linux-ng-2.17.2-3.fc13
Pacotes RPM de destino        
RPM da política               selinux-policy-3.7.19-62.fc13
Selinux habilitado            True
Tipo de política              targeted
Modo reforçado                Enforcing
Nome do plugin                catchall
Nome da máquina               (removido)
Plataforma                    Linux (removido) 2.6.33.3-85.fc13.i686.PAE #1
                              SMP Thu May 6 18:27:11 UTC 2010 i686 i686
Contador de alertas           3
Visto pela primeira vez em    Dom 17 Out 2010 16:22:25 BRT
Visto pela última vez em      Dom 17 Out 2010 16:23:37 BRT
ID local                      f84f1e51-617d-4b1f-8e9a-d67b8af11184
Números de linha              

Mensagens de auditoria não pr 

node=(removido) type=AVC msg=audit(1287343417.300:26896): avc:  denied  { read } for  pid=4110 comm="mount" name="sr0" dev=devtmpfs ino=5674 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file

node=(removido) type=SYSCALL msg=audit(1287343417.300:26896): arch=40000003 syscall=5 success=no exit=-13 a0=1b5e168 a1=8000 a2=0 a3=1b5e168 items=0 ppid=1912 pid=4110 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,mount,mount_t,virt_content_t,blk_file,read
audit2allow suggests:

#============= mount_t ==============
allow mount_t virt_content_t:blk_file read;
Comment 1 Daniel Walsh 2010-10-19 13:29:43 UTC 
This looks like libvirt relabeled /dev/sr0 as virt_content_t.  Not the correct label?
Comment 2 Daniel Berrangé 2010-10-19 13:46:11 UTC 
virt_content_t is surely correct for a read-only disks, which the CDROM device is.
Comment 3 Daniel Walsh 2010-10-19 13:56:52 UTC 
Daniel, but shouldn't it be labeled back to the default label of fixed_disk_device_t?
Comment 4 Daniel Walsh 2010-10-19 13:59:11 UTC 
Fixed in selinux-policy-3.9.7-5.fc14

Miroslav can  you add


optional_policy(`
	virt_read_blk_images(mount_t)
')
Comment 5 Daniel Walsh 2010-10-19 13:59:47 UTC 
To F13 and RHEL6
Comment 6 Daniel Berrangé 2010-10-19 14:06:47 UTC 
> Daniel, but shouldn't it be labeled back to the default label of
> fixed_disk_device_t?

When a guest shuts down, we don't currently reset labels on any disks marked shared or readonly, because there may still be another guest using that same disk path.
Comment 7 Fedora Update System 2010-10-28 20:12:47 UTC 
selinux-policy-3.9.7-7.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-7.fc14
Comment 8 Fedora Update System 2010-10-29 20:39:01 UTC 
selinux-policy-3.9.7-7.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-7.fc14
Comment 9 Fedora Update System 2010-11-01 20:50:18 UTC 
selinux-policy-3.9.7-7.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.