1167759 – selinux denies pam_mount to mount home on Fedora 21

Bug 1167759 - selinux denies pam_mount to mount home on Fedora 21

Summary: selinux denies pam_mount to mount home on Fedora 21

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	21
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-11-25 11:17 UTC by Jan Safranek
Modified:	2015-01-30 23:55 UTC (History)
CC List:	1 user (show)
Fixed In Version:	selinux-policy-3.13.1-105.fc21
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-01-30 23:55:26 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Safranek 2014-11-25 11:17:45 UTC

SElinux denies pam_mount to mount my home directory on login. I tried both kdm and console login (/usr/bin/login?).

$ ausearch -m AVC -ts today

----
time->Tue Nov 25 11:01:38 2014
type=PROCTITLE msg=audit(1416909698.047:1076): proctitle="-:0"
type=SYSCALL msg=audit(1416909698.047:1076): arch=c000003e syscall=4 success=yes exit=0 a0=7f1d00f97749 a1=7fff83d463b0 a2=7fff83d463b0 a3=0 items=0 ppid=951 pid=1523 auid=1000 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1416909698.047:1076): avc:  denied  { getattr } for  pid=1523 comm="kdm" path="/run/mount/utab" dev="tmpfs" ino=12358 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file permissive=1
----
time->Tue Nov 25 11:01:38 2014
type=PROCTITLE msg=audit(1416909698.049:1077): proctitle=6D6F756E74002D746175746F002F6465762F7373642F6A73616672616E65002F686F6D652F6A73616672616E65002D6F63727970746F5F6E616D653D686F6D655F636C6561722C646973636172642C6E6F64697363617264
type=SYSCALL msg=audit(1416909698.049:1077): arch=c000003e syscall=59 success=yes exit=0 a0=7fff83d464bc a1=7f1d0726c460 a2=7f1d07266750 a3=7f1d049522c0 items=0 ppid=1523 pid=2940 auid=1000 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="mount" exe="/usr/bin/mount" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1416909698.049:1077): avc:  denied  { entrypoint } for  pid=2940 comm="kdm" path="/usr/bin/mount" dev="dm-1" ino=397318 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Tue Nov 25 11:52:53 2014
type=PROCTITLE msg=audit(1416912773.716:1517): proctitle=2F62696E2F6C6F67696E002D2D002020202020202020
type=SYSCALL msg=audit(1416912773.716:1517): arch=c000003e syscall=4 success=yes exit=0 a0=7f7ab43c9749 a1=7fffb8a41cd0 a2=7fffb8a41cd0 a3=0 items=0 ppid=1 pid=4784 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 ses=3 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1416912773.716:1517): avc:  denied  { getattr } for  pid=4784 comm="login" path="/run/mount/utab" dev="tmpfs" ino=12358 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file permissive=1
----
time->Tue Nov 25 11:52:53 2014
type=PROCTITLE msg=audit(1416912773.717:1518): proctitle=6D6F756E74002D746175746F002F6465762F7373642F6A73616672616E65002F686F6D652F6A73616672616E65002D6F63727970746F5F6E616D653D686F6D655F636C6561722C646973636172642C6E6F64697363617264
type=SYSCALL msg=audit(1416912773.717:1518): arch=c000003e syscall=59 success=yes exit=0 a0=7fffb8a41ddc a1=14f5fd0 a2=14f0560 a3=7f7ab5637310 items=0 ppid=4784 pid=4802 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="mount" exe="/usr/bin/mount" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1416912773.717:1518): avc:  denied  { entrypoint } for  pid=4802 comm="login" path="/usr/bin/mount" dev="dm-1" ino=397318 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Tue Nov 25 11:53:47 2014
type=PROCTITLE msg=audit(1416912827.262:1536): proctitle=2F62696E2F6C6F67696E002D2D002020202020202020
type=SYSCALL msg=audit(1416912827.262:1536): arch=c000003e syscall=4 success=yes exit=0 a0=7f1c26633749 a1=7fff8ffbcfc0 a2=7fff8ffbcfc0 a3=0 items=0 ppid=1 pid=5017 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 ses=4 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1416912827.262:1536): avc:  denied  { getattr } for  pid=5017 comm="login" path="/run/mount/utab" dev="tmpfs" ino=12358 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file permissive=1
----
time->Tue Nov 25 11:53:47 2014
type=PROCTITLE msg=audit(1416912827.262:1537): proctitle=6D6F756E74002D746175746F002F6465762F7373642F6A73616672616E65002F686F6D652F6A73616672616E65002D6F63727970746F5F6E616D653D686F6D655F636C6561722C646973636172642C6E6F64697363617264
type=SYSCALL msg=audit(1416912827.262:1537): arch=c000003e syscall=59 success=yes exit=0 a0=7fff8ffbd0cc a1=aa4fd0 a2=a9f560 a3=7f1c278a1310 items=0 ppid=5017 pid=5033 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="mount" exe="/usr/bin/mount" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1416912827.262:1537): avc:  denied  { entrypoint } for  pid=5033 comm="login" path="/usr/bin/mount" dev="dm-1" ino=397318 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1


I updated my Fedora from 20 to 21 and relabeled all files. 

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-92.fc21.noarch. 

Additional info:
It's somewhat related to following bugs:
#998129 - here the reporter on F20 sees some errors, but his home is mounted. My home is not mounted.
#1009668 - here the denied program runs as user_t / staff_t. My kdm runs as xdm_t and login runs as local_login_t. Somewhere in the process these contexts are lost and unconfined_t tries to exec /usr/bin/mount.

Comment 1 Daniel Walsh 2015-01-02 14:57:30 UTC

a8041e60fdc0a38ae58991fc707ae9af8cdb7524 fixes this in git.

Comment 2 Fedora Update System 2015-01-27 16:50:07 UTC

selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21

Comment 3 Fedora Update System 2015-01-30 04:32:59 UTC

Package selinux-policy-3.13.1-105.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2015-01-30 23:55:26 UTC

selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.