1328548 – SELinux is preventing (ostnamed) from mounton access on the directory /home

Bug 1328548 - SELinux is preventing (ostnamed) from mounton access on the directory /home

Summary: SELinux is preventing (ostnamed) from mounton access on the directory /home

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	24
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-04-19 15:50 UTC by srakitnican
Modified:	2016-04-22 15:23 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-04-20 14:36:31 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description srakitnican 2016-04-19 15:50:51 UTC

Description of problem: On a upgraded Fedora 23 to Fedora 24 system, selinux is preventing mounton access on /home to systemd-hostnamed.

Apr 19 16:14:48 localhost systemd[1]: Starting Hostname Service...
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=filter family=2
entries=0
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=nat family=2 entries=0
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=raw family=2 entries=0
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=mangle family=2
entries=0
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=security family=2
entries=0
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=filter family=10
entries=0
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=nat family=10 entries=0
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=raw family=10 entries=0
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=mangle family=10
entries=0
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=security family=10
entries=0
Apr 19 16:14:48 localhost audit[3618]: AVC avc:  denied  { mounton } for
pid=3618 comm="(ostnamed)" path="/home" dev="md126p2" ino=50332160
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Apr 19 16:14:48 localhost dbus[895]: [system] Successfully activated
service 'org.freedesktop.hostname1'
Apr 19 16:14:48 localhost systemd[1]: Started Hostname Service.
Apr 19 16:14:48 localhost audit[1]: SERVICE_START pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
Apr 19 16:14:48 localhost kernel: nf_conntrack: automatic helper assignment
is deprecated and it will be removed soon. Use the iptables CT target to
attach helpers instead.
Apr 19 16:14:51 localhost dbus[895]: [system] Activating service
name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Apr 19 16:14:51 localhost gvfsd[1716]: ** (gvfsd:1716): WARNING **:
dbus_mount_reply: Error from org.gtk.vfs.Mountable.mount(): Failed to
retrieve share list from server: Connection refused
Apr 19 16:14:51 localhost gvfsd[1716]: ** (process:3624): WARNING **:
Couldn't create directory monitor on smb://x-gnome-default-workgroup/.
Error: The specified location is not mounted
Apr 19 16:14:51 localhost dbus[895]: [system] Successfully activated
service 'org.fedoraproject.Setroubleshootd'
Apr 19 16:14:52 localhostA setroubleshoot[3649]: SELinux is preventing
(ostnamed) from mounton access on the directory /home. For complete SELinux
messages. run sealert -l 29306eea-442b-448d-a647-6f1dede9ee78
Apr 19 16:14:52 localhost python3[3649]: SELinux is preventing (ostnamed)
from mounton access on the directory /home.

                                           *****  Plugin restorecon (94.8
confidence) suggests   ************************

                                           If you want to fix the label.
                                           /home default label should be
home_root_t.
                                           Then you can run restorecon.
                                           Do
                                           # /sbin/restorecon -v /home

                                           *****  Plugin catchall_labels
(5.21 confidence) suggests   *******************

                                           If you want to allow (ostnamed)
to have mounton access on the home directory
                                           Then you need to change the
label on /home
                                           Do
                                           # semanage fcontext -a -t
FILE_TYPE '/home'
                                           where FILE_TYPE is one of the
following: admin_home_t, anon_inodefs_t, audit_spool_t, auditd_log_t,
autofs_t, automount_tmp_t, bacula_store_t, binfmt_misc_fs_t, boot_t,
capifs_t, cgroup_t, cifs_t, container_image_t, debugfs_t, default_t,
device_t, devpts_t, dnssec_t, dosfs_t, ecryptfs_t, efivarfs_t, fusefs_t,
home_root_t, hugetlbfs_t, ifconfig_var_run_t, init_var_run_t, initrc_tmp_t,
iso9660_t, kdbusfs_t, mail_spool_t, mnt_t, mqueue_spool_t, named_conf_t,
news_spool_t, nfs_t, nfsd_fs_t, openshift_tmp_t, openshift_var_lib_t,
oracleasmfs_t, proc_t, proc_xen_t, pstore_t, public_content_rw_t,
public_content_t, ramfs_t, random_seed_t, removable_t, root_t,
rpc_pipefs_t, security_t, spufs_t, src_t, svirt_sandbox_file_t,
sysctl_fs_t, sysctl_t, sysfs_t, sysv_t, tmp_t, tmpfs_t, usbfs_t,
user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_lib_nfs_t, var_lib_t,
var_lock_t, var_log_t, var_run_t, var_t, virt_image_t, virt_var_lib_t,
vmblock_t, vxfs_t, xend_var_lib_t, xend_var_run_t, xenfs_t,
xenstored_var_lib_t.
                                           Then execute:
                                           restorecon -v '/home'


                                           *****  Plugin catchall (1.44
confidence) suggests   **************************

                                           If you believe that (ostnamed)
should be allowed mounton access on the home directory by default.
                                           Then you should report this as a
bug.
                                           You can generate a local policy
module to allow this access.
                                           Do
                                           allow this access for now by
executing:
                                           # ausearch -c (ostnamed) --raw |
audit2allow -M mypol
                                           # semodule -i mypol.pp

Apr 19 16:14:54 localhost gvfsd[1716]: ** (gvfsd:1716): WARNING **:
dbus_mount_reply: Error from org.gtk.vfs.Mountable.mount(): Failed to
retrieve share list from server: Connection refused
Apr 19 16:14:54 localhost gvfsd[1716]: ** (process:3622): WARNING **:
Couldn't create directory monitor on smb://x-gnome-default-workgroup/.
Error: The specified location is not mounted
Apr 19 16:15:18 localhost audit[1]: SERVICE_STOP pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'




$ sealert -l 29306eea-442b-448d-a647-6f1dede9ee78
SELinux is preventing (ostnamed) from mounton access on the directory /home.

*****  Plugin restorecon (94.8 confidence) suggests
************************

If you want to fix the label.
/home default label should be home_root_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /home

*****  Plugin catchall_labels (5.21 confidence) suggests
*******************

If you want to allow (ostnamed) to have mounton access on the home directory
Then you need to change the label on /home
Do
# semanage fcontext -a -t FILE_TYPE '/home'
where FILE_TYPE is one of the following: admin_home_t, anon_inodefs_t,
audit_spool_t, auditd_log_t, autofs_t, automount_tmp_t, bacula_store_t,
binfmt_misc_fs_t, boot_t, capifs_t, cgroup_t, cifs_t, container_image_t,
debugfs_t, default_t, device_t, devpts_t, dnssec_t, dosfs_t, ecryptfs_t,
efivarfs_t, fusefs_t, home_root_t, hugetlbfs_t, ifconfig_var_run_t,
init_var_run_t, initrc_tmp_t, iso9660_t, kdbusfs_t, mail_spool_t, mnt_t,
mqueue_spool_t, named_conf_t, news_spool_t, nfs_t, nfsd_fs_t,
openshift_tmp_t, openshift_var_lib_t, oracleasmfs_t, proc_t, proc_xen_t,
pstore_t, public_content_rw_t, public_content_t, ramfs_t, random_seed_t,
removable_t, root_t, rpc_pipefs_t, security_t, spufs_t, src_t,
svirt_sandbox_file_t, sysctl_fs_t, sysctl_t, sysfs_t, sysv_t, tmp_t,
tmpfs_t, usbfs_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t,
var_lib_nfs_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_t,
virt_image_t, virt_var_lib_t, vmblock_t, vxfs_t, xend_var_lib_t,
xend_var_run_t, xenfs_t, xenstored_var_lib_t.
Then execute:
restorecon -v '/home'


*****  Plugin catchall (1.44 confidence) suggests
**************************

If you believe that (ostnamed) should be allowed mounton access on the home
directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c (ostnamed) --raw | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                /home [ dir ]
Source                        (ostnamed)
Source Path                   (ostnamed)
Port                          <Unknown>
Host                          localhost
Source RPM Packages
Target RPM Packages           filesystem-3.2-37.fc24.x86_64
Policy RPM                    selinux-policy-3.13.1-182.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 4.5.1-300.fc24.x86_64 #1 SMP
Tue
                              Apr 12 18:55:06 UTC 2016 x86_64 x86_64
Alert Count                   28
First Seen                    2016-04-18 20:27:54 CEST
Last Seen                     2016-04-19 16:14:48 CEST
Local ID                      29306eea-442b-448d-a647-6f1dede9ee78

Raw Audit Messages
type=AVC msg=audit(1461075288.431:423): avc:  denied  { mounton } for
pid=3618 comm="(ostnamed)" path="/home" dev="md126p2" ino=50332160
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0


Hash: (ostnamed),init_t,unlabeled_t,dir,mounton

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-182.fc24.noarch

How reproducible: Unknown


Steps to Reproduce:
1. Issue hostnamectl command and watch journalctl -f
2.
3.

Actual results: 


Expected results:


Additional info:

Comment 1 Lukas Vrabec 2016-04-20 14:36:31 UTC

You need to run restorecon to fix all labels on your system. 
Please run:
# restorecon -Rv /

To fix your issue.

Comment 2 srakitnican 2016-04-20 16:18:17 UTC

Hi,

Sorry, but "restorecon -Rv /" didn't help resolve the issue and I have already tried with "restorecon -Rv /home" should have pointed that out. What is interesting that I have new fedora install on other partition with this sharing /home partition with this install, and there is no this issue there. If you think this is not a bug in selinux-policy fine, I will try to work something out that works for me I guess.

Comment 3 srakitnican 2016-04-21 15:48:46 UTC

However following fixed it:

$ sudo ausearch -c "(ostnamed)" --raw | audit2allow -M mypol
$ sudo semodule -i mypol.pp
$ cat mypol.te 

module mypol 1.0;

require {
	type init_t;
	type unlabeled_t;
	class dir mounton;
}

#============= init_t ==============

#!!!! The file '/home' is mislabeled on your system.  
#!!!! Fix with $ restorecon -R -v /home
allow init_t unlabeled_t:dir mounton;

Comment 4 Daniel Walsh 2016-04-22 13:53:49 UTC

If you read what audit2allow told you it has the correct fix.

#============= init_t ==============

#!!!! The file '/home' is mislabeled on your system.  
#!!!! Fix with $ restorecon -R -v /home

Comment 5 srakitnican 2016-04-22 13:57:26 UTC

(In reply to Daniel Walsh from comment #4)
> If you read what audit2allow told you it has the correct fix.
> 
> #============= init_t ==============
> 
> #!!!! The file '/home' is mislabeled on your system.  
> #!!!! Fix with $ restorecon -R -v /home

Thanks but this fix did not work. This was not the issue.

Comment 6 Daniel Walsh 2016-04-22 14:26:36 UTC

The problem is the /home underneath the /home you mounted on is not labeled.  I take it you are doing this in permissive mode.  And you are labeling the mounted file system as opposed to the mount point.

Comment 7 Daniel Walsh 2016-04-22 14:27:11 UTC

init_t should probably be an unconfined domain.

Comment 8 srakitnican 2016-04-22 14:41:57 UTC

(In reply to Daniel Walsh from comment #6)
> The problem is the /home underneath the /home you mounted on is not labeled.
> I take it you are doing this in permissive mode.  And you are labeling the
> mounted file system as opposed to the mount point.

You are correct, I was labeling mounted filesystem. But, selinux was and it is in Enforcing mode. So, the right fix for this was to unmount /home and then to relabel it?

# umount /home
# ls -ldZ /home/
drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 6 Feb  4  2015 /home/

Comment 9 Daniel Walsh 2016-04-22 15:18:18 UTC

Yes that looks like the correct fix.

Comment 10 srakitnican 2016-04-22 15:23:00 UTC

After relabeling unmounted /home and removing my custom module it seems to work fine. No audit alert after issuing hostnamectl command, only success.

$ ls -ldZ /home/
drwxr-xr-x. 2 root root system_u:object_r:home_root_t:s0 6 Feb  4  2015 /home/
$ sudo semodule -r mypol


Thanks

Note You need to log in before you can comment on or make changes to this bug.