Bug 121479 - Settings for /sbin/mount.smbfs (and /sbin/mount.smb) not correct?
Settings for /sbin/mount.smbfs (and /sbin/mount.smb) not correct?
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Russell Coker
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-21 21:12 EDT by Tom London
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-08-30 10:01:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tom London 2004-04-21 21:12:16 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040312

Description of problem:
ls -ldZ /bin/mount yields:
-rwsr-xr-x+ root     root     system_u:object_r:mount_exec_t   /bin/mount

ls -ldZ /sbin/mount.smbfs yields:
lrwxrwxrwx+ root     root     system_u:object_r:sbin_t      
mount.smbfs -> ../usr/bin/smbmount

ls -ldZ /usr/bin/smbmount yields:
-rwxr-xr-x+ root     root     system_u:object_r:bin_t         
/usr/bin/smbmount

Attempting to do an smbmount via "mount -t smbfs ...." fails, but the
equivalent "smbmount ...." succeeds.

Here's the report in /var/log/messages:
Apr 21 17:59:39 fedora kernel: audit(1082595579.522:0): avc:  denied 
{ read } for  pid=15390 exe=/bin/mount name=mount.smbfs dev=hdb3
ino=4898829 scontext=root:sysadm_r:mount_t
tcontext=system_u:object_r:sbin_t tclass=lnk_file
Apr 21 17:59:39 fedora kernel: smbfs: mount_data version 1919251317 is
not supported

So, "enforcing" appears to be preventing the symbolic link
"/sbin/mount.smbfs" from being read.


Version-Release number of selected component (if applicable):
policy-1.11.2-13

How reproducible:
Always

Steps to Reproduce:
1. enforcing==1, "mount -t smbfs ...."
2. enforcing==1, "smbmount ..."
3.
    

Actual Results:  mount fails, smbmount succeeds

Additional info:
Comment 1 Daniel Walsh 2004-04-22 14:02:47 EDT
Fixed in policy-1.11-17
Comment 2 Tom London 2004-05-06 00:55:07 EDT
I retested with policy-1.11.2-21, and it still fails.

I just did a 'big' update that include kernel-2.6.5-1.350 and
policy-1.11.2.21.  Prior to that, I was running kernel-2.6.5-1.332.
When the update completed, I did a 'telinit 1', 'fixfiles relabel',
and rebooted. 

With the system up and running with 'enforcing==1', I see  different
messages in /var/log/messages than before.    

Here are the messages from /var/log/messages:
     May  5 21:49:20 fedora kernel: audit(1083818960.516:0): avc: 
denied  { getattr } for  pid=2480 exe=/bin/mount
path=/usr/bin/smbmount dev=hdb3 ino=2679746
scontext=root:sysadm_r:mount_t tcontext=system_u:object_r:bin_t
tclass=file
     May  5 21:49:20 fedora kernel: smb_fill_super: missing data argument

Notice the 'getattr' failure now, where it previously failed with 'read'.
Comment 3 Tom London 2004-05-20 19:56:07 EDT
Tested on freshly installed FC2.  Still fails.  Here's the avc from
/var/log/messages:

May 20 16:49:42 dell kernel: audit(1085096982.380:0): avc:  denied  {
getattr } for  pid=3639 exe=/bin/mount path=/usr/bin/smbmount dev=hdb3
ino=1007794 scontext=root:sysadm_r:mount_t
tcontext=system_u:object_r:bin_t tclass=file

When I run smbmount directly, I get no such message.

[I get a similar message if I try to run 'mount -t cifs ....':

May 20 16:53:21 dell kernel: audit(1085097201.061:0): avc:  denied  {
getattr } for  pid=3663 exe=/bin/mount path=/sbin/mount.cifs dev=hdb3
ino=1212631 scontext=root:sysadm_r:mount_t
tcontext=system_u:object_r:sbin_t tclass=file

Since mount runs these through links (/sbin/mount.smb, etc.), could
the labelling code fail for links?]
Comment 4 Daniel Walsh 2004-06-14 17:08:38 EDT
Could you run this in non-enforcing mode and put in the AVC messages?
Comment 5 Tom London 2004-06-14 18:44:05 EDT
OK.  Here are most of the AVCs from a machine running
kernel-2.6.6-1.435, policy-1.11.3-3.  (sysklogd is not functioning on
the machine running selinux-policy-strict-1.13.4-5.  I get no AVCs (or
other log messages!) there.  Let me know if you need me to rerun when
logging starts working again.)

First, do 'mount -t smbfs //hostname/dirname /mnt/hostname':

Jun 14 15:35:50 fedora kernel: audit(1087252550.028:0): avc:  denied 
{ getattr } for  pid=4801 exe=/bin/mount path=/usr/bin/smbmount
dev=hda2 ino=4120682 scontext=root:sysadm_r:mount_t
tcontext=system_u:object_r:bin_t tclass=file
Jun 14 15:35:50 fedora kernel: smb_fill_super: missing data argument

Now do 'setenforce 0':

Jun 14 15:36:01 fedora kernel: audit(1087252561.913:0): avc:  granted
 { setenforce } for  pid=4804 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security

Now repeat 'mount -t smbfs //hostname/dirname /mnt/hostname':

Jun 14 15:36:04 fedora kernel: audit(1087252564.759:0): avc:  denied 
{ getattr } for  pid=4805 exe=/bin/mount path=/usr/bin/smbmount
dev=hda2 ino=4120682 scontext=root:sysadm_r:mount_t
tcontext=system_u:object_r:bin_t tclass=file
Jun 14 15:36:04 fedora kernel: audit(1087252564.759:0): avc:  denied 
{ setuid } for  pid=4806 exe=/bin/mount capability=7
scontext=root:sysadm_r:mount_t tcontext=root:sysadm_r:mount_t
tclass=capability
Jun 14 15:36:04 fedora kernel: audit(1087252564.759:0): avc:  denied 
{ setgid } for  pid=4806 exe=/bin/mount capability=6
scontext=root:sysadm_r:mount_t tcontext=root:sysadm_r:mount_t
tclass=capability
Jun 14 15:36:04 fedora kernel: audit(1087252564.759:0): avc:  denied 
{ execute } for  pid=4806 exe=/bin/mount name=smbmount dev=hda2
ino=4120682 scontext=root:sysadm_r:mount_t
tcontext=system_u:object_r:bin_t tclass=file
Jun 14 15:36:04 fedora kernel: audit(1087252564.759:0): avc:  denied 
{ execute_no_trans } for  pid=4806 exe=/bin/mount
path=/usr/bin/smbmount dev=hda2 ino=4120682
scontext=root:sysadm_r:mount_t tcontext=system_u:object_r:bin_t
tclass=file
Jun 14 15:36:04 fedora kernel: audit(1087252564.759:0): avc:  denied 
{ read } for  pid=4806 exe=/bin/mount path=/usr/bin/smbmount dev=hda2
ino=4120682 scontext=root:sysadm_r:mount_t
tcontext=system_u:object_r:bin_t tclass=file
Jun 14 15:36:05 fedora kernel: audit(1087252565.011:0): avc:  denied 
{ getattr } for  pid=4806 exe=/usr/bin/smbmount
path=/etc/samba/smb.conf dev=hda2 ino=4474034
scontext=root:sysadm_r:mount_t tcontext=system_u:object_r:samba_etc_t
tclass=file
Jun 14 15:36:05 fedora kernel: audit(1087252565.012:0): avc:  denied 
{ read } for  pid=4806 exe=/usr/bin/smbmount name=smb.conf dev=hda2
ino=4474034 scontext=root:sysadm_r:mount_t
tcontext=system_u:object_r:samba_etc_t tclass=file
Jun 14 15:36:05 fedora kernel: audit(1087252565.241:0): avc:  denied 
{ read write } for  pid=4806 exe=/usr/bin/smbmount name=gencache.tdb
dev=hda2 ino=4474970 scontext=root:sysadm_r:mount_t
tcontext=system_u:object_r:samba_var_t tclass=file
Jun 14 15:36:05 fedora kernel: audit(1087252565.241:0): avc:  denied 
{ lock } for  pid=4806 exe=/usr/bin/smbmount
path=/var/cache/samba/gencache.tdb dev=hda2 ino=4474970
scontext=root:sysadm_r:mount_t tcontext=system_u:object_r:samba_var_t
tclass=file
Jun 14 15:36:05 fedora kernel: audit(1087252565.251:0): avc:  denied 
{ getattr } for  pid=4806 exe=/usr/bin/smbmount
path=/var/cache/samba/gencache.tdb dev=hda2 ino=4474970
scontext=root:sysadm_r:mount_t tcontext=system_u:object_r:samba_var_t
tclass=file

Note You need to log in before you can comment on or make changes to this bug.