Bug 1414513 - SELinux is preventing /usr/sbin/automount from write access on the file mtab
Summary: SELinux is preventing /usr/sbin/automount from write access on the file mtab
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-18 17:18 UTC by Lukas Slebodnik
Modified: 2017-10-02 13:19 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-02 13:19:47 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Lukas Slebodnik 2017-01-18 17:18:43 UTC
SELinux is preventing /usr/sbin/automount from write access on the file mtab.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that automount should be allowed write access on the mtab file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep automount /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                unconfined_u:system_r:automount_t:s0
Target Context                unconfined_u:object_r:etc_runtime_t:s0
Target Objects                mtab [ file ]
Source                        automount
Source Path                   /usr/sbin/automount
Port                          <Unknown>
Host                          hp-dl360g4-01.rhts.eng.bos.redhat.com
Source RPM Packages           autofs-5.0.5-131.el6.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-307.el6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     hp-dl360g4-01.rhts.eng.bos.redhat.com
Platform                      Linux hp-dl360g4-01.rhts.eng.bos.redhat.com
                              2.6.32-683.el6.i686 #1 SMP Fri Jan 13 00:21:16 EST
                              2017 i686 i686
Alert Count                   97
First Seen                    Wed Jan 18 11:24:56 2017
Last Seen                     Wed Jan 18 12:08:26 2017
Local ID                      4d59c9c8-de10-456c-9412-66be1b7a3179

Raw Audit Messages
type=AVC msg=audit(1484759306.177:318): avc:  denied  { write } for  pid=13169 comm="automount" name="mtab" dev=dm-0 ino=1833588 scontext=unconfined_u:system_r:automount_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file

type=SYSCALL msg=audit(1484759306.177:318): arch=i386 syscall=open success=no exit=EACCES a0=c29163 a1=80002 a2=1b6 a3=b7791f51 items=0 ppid=13162 pid=13169 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=automount exe=/usr/sbin/automount subj=unconfined_u:system_r:automount_t:s0 key=(null)

Hash: automount,automount_t,etc_runtime_t,file,write

audit2allow

#============= automount_t ==============
allow automount_t etc_runtime_t:file write;

audit2allow -R

#============= automount_t ==============
allow automount_t etc_runtime_t:file write;

Comment 1 Lukas Slebodnik 2017-01-18 17:21:38 UTC
I can see this AVC mostly on i386 machine. I have no idea why.

Comment 3 Lukas Slebodnik 2017-01-18 18:47:43 UTC
Ian,
do you think it should be allowed? Do you have an idea what's going on there?

Comment 4 Ian Kent 2017-01-19 01:07:29 UTC
(In reply to Lukas Slebodnik from comment #3)
> Ian,
> do you think it should be allowed? Do you have an idea what's going on there?

I have to wonder why automount is trying to write to mtab.

Except that automount runs as root and calls mount(8) to
mount things so to that extent it must have write access
but that's mount not automount doing that.

So I'm not sure what's going on there, perhaps it's an
open call to read the mtab, I'll have a look but I'm
pretty sure I open the mount table read only when doing
that.

OTOH it's probably not a problem to allow it.

Comment 7 Lukas Slebodnik 2017-01-20 12:42:24 UTC
(In reply to Ian Kent from comment #4)
> (In reply to Lukas Slebodnik from comment #3)
> > Ian,
> > do you think it should be allowed? Do you have an idea what's going on there?
> 
> I have to wonder why automount is trying to write to mtab.
> 
> Except that automount runs as root and calls mount(8) to
> mount things so to that extent it must have write access
> but that's mount not automount doing that.
> 
> So I'm not sure what's going on there, perhaps it's an
> open call to read the mtab, I'll have a look but I'm
> pretty sure I open the mount table read only when doing
> that.
> 
> OTOH it's probably not a problem to allow it.

BTW I ran test 30 times on x86_64 but I could not see any AVC.
It is really suspicious

Comment 9 Ian Kent 2017-01-30 11:25:04 UTC
(In reply to Ian Kent from comment #4)
> 
> So I'm not sure what's going on there, perhaps it's an
> open call to read the mtab, I'll have a look but I'm
> pretty sure I open the mount table read only when doing
> that.

Btw, I can't see anywhere that automount(8) opens the mtab
file for write.

Comment 10 Lukas Slebodnik 2017-01-30 12:23:06 UTC
(In reply to Ian Kent from comment #9)
> (In reply to Ian Kent from comment #4)
> > 
> > So I'm not sure what's going on there, perhaps it's an
> > open call to read the mtab, I'll have a look but I'm
> > pretty sure I open the mount table read only when doing
> > that.
> 
> Btw, I can't see anywhere that automount(8) opens the mtab
> file for write.

Do you have an idea how to debug this issue? And why the AVC is only on i386?

Comment 12 Daniel Walsh 2017-01-30 20:15:42 UTC
This looks like a leaked file descriptor.  Some tool that started automount opened /etc/mtab for write and then leaked the file descriptor to automount most likely. Perhaps something in the init script?

Comment 14 Lukas Vrabec 2017-10-02 13:19:47 UTC
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017.  During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:
http://redhat.com/rhel/lifecycle

This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification.  Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com


Note You need to log in before you can comment on or make changes to this bug.