Bug 852763

Summary: root can't mount any file via loop device with enforcing mls policy
Product: Red Hat Enterprise Linux 6 Reporter: Andrey Alekseenkov <alekseenkov>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: medium Docs Contact:
Priority: high    
Version: 6.1CC: alekseenkov, dwalsh, ebenes, mmalik, mtruneck
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-172.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 08:28:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrey Alekseenkov 2012-08-29 14:10:46 UTC 
Description of problem:

Root (or any other user) can't mount any file via loop device with enforcing mls policy enabled

Version-Release number of selected component (if applicable):

selinux-policy-mls-3.7.19-93.el6

How reproducible: always

Steps to Reproduce:
1. create image file
# dd if=/dev/zero of=/opt/fat.img bs=1024 count=1024
2. make filesystem
# mkfs -t vfat /opt/fat.img
3. set selinux boolean to allow mounting any file
# setsebool allow_mount_anyfile 1
4. change selinux to enforcing mode
# setenforce 1
5. try to mount filesystem
# mount -t vfat -o loop /opt/fat.img /mnt
  
Actual results:

mount: /dev/loop0: unable to read superblock

Expected results:

successful mount to /mnt directory

Additional info:

1. audit2allow produces constaraint rule:

require {
	type kernel_t;
	type mount_t;
	class fd use;
}

#============= kernel_t ==============
# src="kernel_t" tgt="mount_t" class="fd", perms="use"
# comm="loop0" exe="" path=""#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow kernel_t mount_t:fd use;

2. audit.log shows avc message:

type=AVC msg=audit(1346248387.953:27019): avc:  denied  { use } for  pid=2431 comm="loop0" path="/opt/fat.img" dev=dm-0 ino=19584 scontext=system_u:system_r:kernel_t:s15:c0.c1023 tcontext=root:sysadm_r:mount_t:s0-s15:c0.c1023 tclass=fd
Comment 2 Andrey Alekseenkov 2012-08-30 06:13:37 UTC 
The same situation is happening in RHEL 6.3 with selinux-policy-mls-3.7.19-155.el6
Comment 3 Milos Malik 2012-08-30 10:05:00 UTC 
Still the same even if following commands were executed before mount ...:

setsebool allow_mount_anyfile 1
setsebool allow_domain_fd_use 1

audit2allow says that the AVC is a constraint violation.
Comment 4 Miroslav Grepl 2012-09-03 07:16:00 UTC 
It should work with

mls_fd_use_all_levels(kernel_t)
Comment 5 Andrey Alekseenkov 2012-09-03 14:46:57 UTC 
Yes, it works now. Thanks.
Comment 6 Miroslav Grepl 2012-10-09 20:38:38 UTC 
Fixed.
Comment 9 Michal Trunecka 2012-10-12 13:01:10 UTC 
Under MLS I am unable to make filesystem in the file:

# id -Z
root:sysadm_r:sysadm_t:s0-s15:c0.c1023
# mkfs -t vfat /opt/fat2.img
mkfs.vfat 3.0.9 (31 Jan 2010)
mkfs.vfat: unable to open /opt/fat2.img

selinux-policy-3.7.19-162.el6.noarch
selinux-policy-mls-3.7.19-162.el6.noarch
util-linux-ng-2.17.2-12.7.el6.x86_64

----
time->Fri Oct 12 13:55:36 2012
type=PATH msg=audit(1350042936.073:105): item=0 name="/opt/fat2.img" inode=134208 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:usr_t:s0
type=CWD msg=audit(1350042936.073:105):  cwd="/root"
type=SYSCALL msg=audit(1350042936.073:105): arch=c000003e syscall=2 success=no exit=-13 a0=7fff05b1d7bf a1=82 a2=7f86b9cc7ed8 a3=7fff05b1b1d0 items=1 ppid=2005 pid=2023 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="mkfs.vfat" exe="/sbin/mkdosfs" subj=root:sysadm_r:fsadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1350042936.073:105): avc:  denied  { write } for  pid=2023 comm="mkfs.vfat" name="fat2.img" dev=dm-0 ino=134208 scontext=root:sysadm_r:fsadm_t:s0-s15:c0.c1023 tcontext=root:object_r:usr_t:s0 tclass=file
Comment 10 Daniel Walsh 2012-10-12 13:10:06 UTC 
Well fsadm_t which mkfs.vfat runs as is not allowed to create images in random directories.  I guess we can either remove the transition from sysadm_t to fsadm_t or allow or fsadm_t to write to random locations.
Comment 11 Miroslav Grepl 2012-10-15 18:57:42 UTC 
I removed the transition.
Comment 14 errata-xmlrpc 2013-02-21 08:28:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html