Bug 729980

Summary: SELinux is preventing /bin/mount from 'remove_name' accesses on the dossier mtab~1948.
Product: [Fedora] Fedora Reporter: lazeroptyx
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 14CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:863678f847a3b4835f2c64f88f1992ea3de53cfc1c2ca3fb05c7729d44cd3252
Fixed In Version: selinux-policy-3.9.7-46.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-30 00:34:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description lazeroptyx 2011-08-11 13:02:56 UTC 
SELinux is preventing /bin/mount from 'remove_name' accesses on the dossier mtab~1948.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If vous souhaitez autoriser mount à accéder à remove_name sur mtab~1948 directory
Then you need to change the label on mtab~1948
Do
# semanage fcontext -a -t FILE_TYPE 'mtab~1948'
where FILE_TYPE is one of the following: var_t, abrt_var_cache_t. 
Then execute: 
restorecon -v 'mtab~1948'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that mount should be allowed remove_name access on the mtab~1948 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mount /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023
Target Context                system_u:object_r:etc_t:s0
Target Objects                mtab~1948 [ dir ]
Source                        mount
Source Path                   /bin/mount
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           util-linux-ng-2.18-4.8.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-42.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.13-92.fc14.i686.PAE #1 SMP Sat
                              May 21 17:33:09 UTC 2011 i686 i686
Alert Count                   1
First Seen                    jeu. 11 août 2011 14:59:04 CEST
Last Seen                     jeu. 11 août 2011 14:59:04 CEST
Local ID                      a733afcc-e861-4b43-9410-18111437f8b7

Raw Audit Messages
type=AVC msg=audit(1313067544.460:23198): avc:  denied  { remove_name } for  pid=1948 comm="mount" name="mtab~1948" dev=sda7 ino=7000 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir


type=AVC msg=audit(1313067544.460:23198): avc:  denied  { unlink } for  pid=1948 comm="mount" name="mtab~1948" dev=sda7 ino=7000 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file


type=SYSCALL msg=audit(1313067544.460:23198): arch=i386 syscall=unlink success=yes exit=0 a0=bfe4e58d a1=d a2=e884f8 a3=0 items=0 ppid=1947 pid=1948 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=mount exe=/bin/mount subj=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 key=(null)

Hash: mount,abrt_helper_t,etc_t,dir,remove_name

audit2allow

#============= abrt_helper_t ==============
allow abrt_helper_t etc_t:dir remove_name;
allow abrt_helper_t etc_t:file unlink;

audit2allow -R

#============= abrt_helper_t ==============
allow abrt_helper_t etc_t:dir remove_name;
allow abrt_helper_t etc_t:file unlink;
Comment 1 Daniel Walsh 2011-08-11 15:48:10 UTC 
Lets change the label to 
/etc/mtab.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)

In RHEL6, F14-Rawhide.
Comment 2 Miroslav Grepl 2011-08-12 21:23:04 UTC 
Added to RHEL6.
Comment 3 Fedora Update System 2011-10-20 11:58:10 UTC 
selinux-policy-3.9.7-46.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-46.fc14
Comment 4 Fedora Update System 2011-10-22 08:21:25 UTC 
Package selinux-policy-3.9.7-46.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-46.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-14734
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2011-10-30 00:34:07 UTC 
selinux-policy-3.9.7-46.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.