1161601 – selinux breaks pam_mount umounting from gdm

Bug 1161601 - selinux breaks pam_mount umounting from gdm

Summary: selinux breaks pam_mount umounting from gdm

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pam_mount
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Till Maas
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-11-07 13:08 UTC by Till Maas
Modified:	2019-12-03 19:00 UTC (History)
CC List:	8 users (show)
Fixed In Version:	pam_mount-2.14-4.fc20
Clone Of:
Environment:
Last Closed:	2014-12-12 04:16:33 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Till Maas 2014-11-07 13:08:19 UTC

Version:
selinux-policy-3.12.1-192.fc20.noarch

AVCs:
type=AVC msg=audit(1415363347.186:393): avc:  denied  { read } for
pid=3297 comm="umount.crypt" name="cmtab" dev="tmpfs" ino=25814
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=file permissive=0  


type=SYSCALL msg=audit(1415363347.186:393): arch=x86_64 syscall=open   
success=no exit=EACCES a0=4067dc a1=0 a2=1b6 a3=7fffacb2a070 items=0
ppid=2606 pid=3297 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0
egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=2 comm=umount.crypt
exe=/usr/sbin/mount.crypt subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)

type=AVC msg=audit(1415200701.447:717): avc:  denied  { search } for
pid=3019 comm="login" name="mount" dev="tmpfs" ino=9273
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1415200701.447:717): arch=x86_64 syscall=stat
success=no exit=EACCES a0=7f2f62c49bc0 a1=7fff3677bfa0 a2=7fff3677bfa0
a3=0 items=0 ppid=1 pid=3019 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm=login
exe=/usr/bin/login subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
key=(null)
----
time->Fri Nov  7 13:38:56 2014
type=PROCTITLE msg=audit(1415363936.988:431): proctitle=67646D2D73657373696F6E2D776F726B6572205B70616D2F67646D2D70617373776F72645D
type=SYSCALL msg=audit(1415363936.988:431): arch=c000003e syscall=6 success=yes exit=0 a0=7faf966c2bc0 a1=7fff5338c490 a2=7fff5338c490 a3=0 items=0 ppid=3893 pid=4140 auid=4294967295 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363936.988:431): avc:  denied  { getattr } for  pid=4140 comm="gdm-session-wor" path="/run/mount/utab" dev="tmpfs" ino=1699 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file permissive=1
----
time->Fri Nov  7 13:38:56 2014
type=PROCTITLE msg=audit(1415363936.991:432): proctitle=67646D2D73657373696F6E2D776F726B6572205B70616D2F67646D2D70617373776F72645D
type=SYSCALL msg=audit(1415363936.991:432): arch=c000003e syscall=2 success=yes exit=13 a0=7faf966c2bc0 a1=80042 a2=1a4 a3=0 items=0 ppid=3893 pid=4140 auid=4294967295 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363936.991:432): avc:  denied  { open } for  pid=4140 comm="gdm-session-wor" path="/run/mount/utab" dev="tmpfs" ino=1699 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1415363936.991:432): avc:  denied  { read write } for  pid=4140 comm="gdm-session-wor" name="utab" dev="tmpfs" ino=1699 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file permissive=1
----
time->Fri Nov  7 13:39:15 2014
type=PROCTITLE msg=audit(1415363955.926:441): proctitle=756D6F756E742E6372797074002F686F6D652F
type=SYSCALL msg=audit(1415363955.926:441): arch=c000003e syscall=2 success=yes exit=3 a0=4067dc a1=0 a2=1b6 a3=7fff77618bf0 items=0 ppid=4140 pid=4819 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=3 comm="umount.crypt" exe="/usr/sbin/mount.crypt" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363955.926:441): avc:  denied  { open } for  pid=4819 comm="umount.crypt" path="/run/cmtab" dev="tmpfs" ino=25814 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1415363955.926:441): avc:  denied  { read } for  pid=4819 comm="umount.crypt" name="cmtab" dev="tmpfs" ino=25814 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=file permissive=1
----
time->Fri Nov  7 13:39:15 2014
type=PROCTITLE msg=audit(1415363955.926:442): proctitle=756D6F756E742E6372797074002F686F6D652F
type=SYSCALL msg=audit(1415363955.926:442): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=7 a2=7fff77618e80 a3=7fff77618bf0 items=0 ppid=4140 pid=4819 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=3 comm="umount.crypt" exe="/usr/sbin/mount.crypt" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363955.926:442): avc:  denied  { lock } for  pid=4819 comm="umount.crypt" path="/run/cmtab" dev="tmpfs" ino=25814 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=file permissive=1
----
time->Fri Nov  7 13:39:15 2014
type=PROCTITLE msg=audit(1415363955.926:443): proctitle=756D6F756E742E6372797074002F686F6D652F
type=SYSCALL msg=audit(1415363955.926:443): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff77618880 a2=7fff77618880 a3=0 items=0 ppid=4140 pid=4819 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=3 comm="umount.crypt" exe="/usr/sbin/mount.crypt" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363955.926:443): avc:  denied  { getattr } for  pid=4819 comm="umount.crypt" path="/run/cmtab" dev="tmpfs" ino=25814 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=file permissive=1
----
time->Fri Nov  7 13:39:15 2014
type=PROCTITLE msg=audit(1415363955.927:444): proctitle=756D6F756E742E6372797074002F686F6D652F
type=SYSCALL msg=audit(1415363955.927:444): arch=c000003e syscall=2 success=yes exit=3 a0=4067dc a1=2 a2=1b6 a3=0 items=0 ppid=4140 pid=4819 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=3 comm="umount.crypt" exe="/usr/sbin/mount.crypt" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363955.927:444): avc:  denied  { write } for  pid=4819 comm="umount.crypt" name="cmtab" dev="tmpfs" ino=25814 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=file permissive=1
----
time->Fri Nov  7 13:39:16 2014
type=PROCTITLE msg=audit(1415363956.261:445): proctitle=756D6F756E742E6372797074002F686F6D652F
type=SYSCALL msg=audit(1415363956.261:445): arch=c000003e syscall=4 success=yes exit=0 a0=7fff77617970 a1=7fff776178e0 a2=7fff776178e0 a3=7fff77617670 items=0 ppid=4140 pid=4819 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=3 comm="umount.crypt" exe="/usr/sbin/mount.crypt" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363956.261:445): avc:  denied  { getattr } for  pid=4819 comm="umount.crypt" path="/dev/mapper/control" dev="devtmpfs" ino=1221 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
----
time->Fri Nov  7 13:39:16 2014
type=PROCTITLE msg=audit(1415363956.261:446): proctitle=756D6F756E742E6372797074002F686F6D652F
type=SYSCALL msg=audit(1415363956.261:446): arch=c000003e syscall=2 success=yes exit=3 a0=7fff77617970 a1=2 a2=0 a3=7fff77617670 items=0 ppid=4140 pid=4819 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=3 comm="umount.crypt" exe="/usr/sbin/mount.crypt" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363956.261:446): avc:  denied  { open } for  pid=4819 comm="umount.crypt" path="/dev/mapper/control" dev="devtmpfs" ino=1221 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1415363956.261:446): avc:  denied  { read write } for  pid=4819 comm="umount.crypt" name="control" dev="devtmpfs" ino=1221 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
----
time->Fri Nov  7 13:39:16 2014
type=PROCTITLE msg=audit(1415363956.262:447): proctitle=756D6F756E742E6372797074002F686F6D652F
type=SYSCALL msg=audit(1415363956.262:447): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=c138fd00 a2=bd5560 a3=7fff77618770 items=0 ppid=4140 pid=4819 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=3 comm="umount.crypt" exe="/usr/sbin/mount.crypt" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363956.262:447): avc:  denied  { ioctl } for  pid=4819 comm="umount.crypt" path="/dev/mapper/control" dev="devtmpfs" ino=1221 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
----
time->Fri Nov  7 13:39:16 2014
type=PROCTITLE msg=audit(1415363956.262:448): proctitle=756D6F756E742E6372797074002F686F6D652F
type=SYSCALL msg=audit(1415363956.262:448): arch=c000003e syscall=66 success=yes exit=0 a0=0 a1=0 a2=13 a3=7fff77618c40 items=0 ppid=4140 pid=4819 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=3 comm="umount.crypt" exe="/usr/sbin/mount.crypt" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1415363956.262:448): avc:  denied  { ipc_info } for  pid=4819 comm="umount.crypt" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1

Comment 1 Miroslav Grepl 2014-11-07 15:34:07 UTC

Dominick,
have we ever had a discuss on this issue or am I wrong?

Comment 2 Miroslav Grepl 2014-11-07 15:40:16 UTC

I thought we had changed pam_mount to execute /bin/umount rather then /bin/umount.crypt?

Comment 3 Till Maas 2014-11-07 16:12:45 UTC

(In reply to Miroslav Grepl from comment #2)
> I thought we had changed pam_mount to execute /bin/umount rather then
> /bin/umount.crypt?

It seems that this was reverted by upstream when utab support became a requirement to get umount call umount.crypt.

Comment 4 Jan Pazdziora (Red Hat) 2014-11-11 13:07:28 UTC

What pam_mount.conf.xml do you use? I upgraded to latest selinux-policy-3.12.1-193.fc20 and I do not see any AVC denial. On the other hand, I'm struggling with bug 1086822 even with older selinux-policy and I assume that in my case, the attempt to umount does not even happen.

What is your exact configuration that allows you to trigger the issue?

Comment 5 Till Maas 2014-11-26 20:02:20 UTC

I prepared an initial patch for pam_mount to get plain umount work again. I just submitted in upstream for review.

Comment 6 Fedora Update System 2014-11-28 10:31:26 UTC

pam_mount-2.14-4.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/pam_mount-2.14-4.fc19

Comment 7 Fedora Update System 2014-11-28 10:31:33 UTC

pam_mount-2.14-4.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/pam_mount-2.14-4.fc20

Comment 8 Fedora Update System 2014-11-28 10:31:40 UTC

pam_mount-2.14-4.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/pam_mount-2.14-4.fc21

Comment 9 Fedora Update System 2014-11-29 21:00:00 UTC

Package pam_mount-2.14-4.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pam_mount-2.14-4.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-15949/pam_mount-2.14-4.fc21
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2014-12-12 04:16:33 UTC

pam_mount-2.14-4.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2014-12-12 04:21:21 UTC

pam_mount-2.14-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2014-12-12 04:28:35 UTC

pam_mount-2.14-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.