Hide Forgot
Description of problem: After formatting USB drive to ext2 file system you can't write to it. There is no problem with FAT or NTFS file systems. Selinux contexts after mounting USB drive with different file systems are: FAT - dosfs_t NTFS - fusefs_t EXT2 - unlabeled_t How reproducible: always Steps to Reproduce: 1. Format USB flash drive to ext2 file system with gparted or fdisk. 2. Mount it with file manger. 3. Try to create file or folder on it. Actual results: Permission denied Expected results: Create file or folder Additional info: #cat /etc/selinux/targeted/contexts/removable_context system_u:object_r:removable_t:s0
Could you collect SELinux denials and attach them here? # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
In file manager Create Folder button on that drive is disabled # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today <no matches> # mount | grep sdb1 /dev/sdb1 on /run/media/user/81fc8393-b382-45e8-b59f-50f743fccf3b type ext2 (rw,nosuid,nodev,relatime,seclabel,uhelper=udisks2) # ls -lZ /var/run/media/user drwxr-xr-x. root root system_u:object_r:unlabeled_t:s0 81fc8393-b382-45e8-b59f-50f743fccf3b # ls -lZ /var/run/media/user/81fc8393-b382-45e8-b59f-50f743fccf3b/ drwx------. root root system_u:object_r:unlabeled_t:s0 lost+found dmesg output: [ 644.489057] usb 1-1: new high-speed USB device number 2 using ehci-pci [ 644.626165] usb 1-1: New USB device found, idVendor=0951, idProduct=1665 [ 644.626171] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 644.626174] usb 1-1: Product: DataTraveler 2.0 [ 644.626176] usb 1-1: Manufacturer: Kingston [ 644.626179] usb 1-1: SerialNumber: 50E549C695B3BE70A98B0650 [ 644.781209] usb-storage 1-1:1.0: USB Mass Storage device detected [ 644.782992] scsi host3: usb-storage 1-1:1.0 [ 644.783080] usbcore: registered new interface driver usb-storage [ 645.786167] scsi 3:0:0:0: Direct-Access Kingston DataTraveler 2.0 PMAP PQ: 0 ANSI: 6 [ 645.788631] sd 3:0:0:0: Attached scsi generic sg2 type 0 [ 645.800211] sd 3:0:0:0: [sdb] 30490624 512-byte logical blocks: (15.6 GB/14.5 GiB) [ 645.807341] sd 3:0:0:0: [sdb] Write Protect is off [ 645.807348] sd 3:0:0:0: [sdb] Mode Sense: 23 00 00 00 [ 645.814511] sd 3:0:0:0: [sdb] No Caching mode page found [ 645.814516] sd 3:0:0:0: [sdb] Assuming drive cache: write through [ 645.914919] sdb: sdb1 [ 645.963877] sd 3:0:0:0: [sdb] Attached SCSI removable disk [ 646.687779] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs [ 647.251687] EXT4-fs (sdb1): mounting ext2 file system using the ext4 subsystem [ 647.308435] EXT4-fs (sdb1): mounted filesystem without journal. Opts: (null) [ 647.308454] SELinux: initialized (dev sdb1, type ext2), uses xattr [ 827.975106] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Could you attach version of selinux-policy rpm?
(In reply to Lukas Vrabec from comment #5) > Could you attach version of selinux-policy rpm? selinux-policy-3.13.1-60.el7_2.7.src.rpm
Milos, Are we able to reproduce it? Lukas.
Command (m for help): p Disk /dev/sda: 4026 MB, 4026531840 bytes, 7864320 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk label type: dos Disk identifier: 0x3eadf52d Device Boot Start End Blocks Id System Command (m for help): n Partition type: p primary (0 primary, 0 extended, 4 free) e extended Select (default p): p Partition number (1-4, default 1): First sector (2048-7864319, default 2048): Using default value 2048 Last sector, +sectors or +size{K,M,G} (2048-7864319, default 7864319): Using default value 7864319 Partition 1 of type Linux and of size 3.8 GiB is set Command (m for help): p Disk /dev/sda: 4026 MB, 4026531840 bytes, 7864320 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk label type: dos Disk identifier: 0x3eadf52d Device Boot Start End Blocks Id System /dev/sda1 2048 7864319 3931136 83 Linux Command (m for help): m Command action a toggle a bootable flag b edit bsd disklabel c toggle the dos compatibility flag d delete a partition g create a new empty GPT partition table G create an IRIX (SGI) partition table l list known partition types m print this menu n add a new partition o create a new empty DOS partition table p print the partition table q quit without saving changes s create a new empty Sun disklabel t change a partition's system id u change display/entry units v verify the partition table w write table to disk and exit x extra functionality (experts only) Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. # stat /dev/sda1 File: ‘/dev/sda1’ Size: 0 Blocks: 0 IO Block: 4096 block special file Device: 6h/6d Inode: 47609 Links: 1 Device type: 8,1 Access: (0660/brw-rw----) Uid: ( 0/ root) Gid: ( 6/ disk) Context: system_u:object_r:fixed_disk_device_t:s0 Access: 2018-06-26 08:37:29.513120283 +0200 Modify: 2018-06-26 08:37:29.513120283 +0200 Change: 2018-06-26 08:37:29.513120283 +0200 Birth: - # mkfs.ext2 /dev/sda1 mke2fs 1.42.9 (28-Dec-2013) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 245760 inodes, 982784 blocks 49139 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=1006632960 30 block groups 32768 blocks per group, 32768 fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736 Allocating group tables: done Writing inode tables: done Writing superblocks and filesystem accounting information: done # stat /dev/sda1 File: ‘/dev/sda1’ Size: 0 Blocks: 0 IO Block: 4096 block special file Device: 6h/6d Inode: 47609 Links: 1 Device type: 8,1 Access: (0660/brw-rw----) Uid: ( 0/ root) Gid: ( 6/ disk) Context: system_u:object_r:fixed_disk_device_t:s0 Access: 2018-06-26 08:38:14.552509236 +0200 Modify: 2018-06-26 08:38:14.552509236 +0200 Change: 2018-06-26 08:38:14.552509236 +0200 Birth: - # mount /dev/sda1 /mnt # mount | grep /mnt /dev/sda1 on /mnt type ext2 (rw,relatime,seclabel,block_validity,barrier,user_xattr,acl) # stat /mnt File: ‘/mnt’ Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 801h/2049d Inode: 2 Links: 3 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Context: system_u:object_r:unlabeled_t:s0 Access: 2018-06-26 08:37:53.000000000 +0200 Modify: 2018-06-26 08:37:53.000000000 +0200 Change: 2018-06-26 08:37:53.000000000 +0200 Birth: - # getfattr -d -m . /mnt # getfattr -d -m . /mnt/lost+found # ls -Z /mnt/ drwx------. root root system_u:object_r:unlabeled_t:s0 lost+found # There are no SELinux labels on the formatted USB flash device, until you run restorecon: # restorecon -Rv /mnt restorecon reset /mnt context system_u:object_r:unlabeled_t:s0->system_u:object_r:mnt_t:s0 restorecon reset /mnt/lost+found context system_u:object_r:unlabeled_t:s0->system_u:object_r:mnt_t:s0 # ls -Z /mnt/ drwx------. root root system_u:object_r:mnt_t:s0 lost+found # getfattr -d -m . /mnt getfattr: Removing leading '/' from absolute path names # file: mnt security.selinux="system_u:object_r:mnt_t:s0" # getfattr -d -m . /mnt/lost+found getfattr: Removing leading '/' from absolute path names # file: mnt/lost+found security.selinux="system_u:object_r:mnt_t:s0" #
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.