Bug 1570094 - autofs fails to mount sshfs due to selinux
Summary: autofs fails to mount sshfs due to selinux
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: atomic
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-20 15:51 UTC by wdouglascampbell
Modified: 2018-04-24 13:03 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-24 13:03:40 UTC
Type: Bug


Attachments (Terms of Use)

Description wdouglascampbell 2018-04-20 15:51:43 UTC
Description of problem:

Autofs fails when attempting to automount a remote filesystem using sshfs.

Version-Release number of selected component (if applicable):

  autofs-1:5.1.4-7.fc27.x86_64
  fuse-sshfs-2.8-4.fc27.x86_64
  hesiod-3.2.1-9.fc27.x86_64

How reproducible:

Always for me.

Steps to Reproduce:
1.  Configure /etc/auto.master with the following:

/mnt/sshfs /etc/auto.sshfs --timeout=30,--ghost

2.  Configure /etc/auto.sshfs with the following:

archive -fstype=fuse,ro,nodev,nonempty,noatime,allow_other,max_read=65536 :sshfs\#root@172.16.1.202\:/

3.  Configured and test public key authenticaiton to remote server at 172.16.1.202

4.  Start autofs

systemctl start autofs

Actual results:

journalctl -u autofs   gives me

Apr 20 11:30:53 atomic.zteam.biz systemd[1]: Starting Automounts filesystems on demand...
Apr 20 11:30:53 atomic.zteam.biz automount[23741]: do_mount_autofs_indirect: failed to create autofs directory /misc
Apr 20 11:30:53 atomic.zteam.biz automount[23741]: handle_mounts: mount of /misc failed!
Apr 20 11:30:53 atomic.zteam.biz automount[23741]: master_do_mount: failed to startup mount
Apr 20 11:30:53 atomic.zteam.biz automount[23741]: do_mount_autofs_indirect: failed to create autofs directory /net
Apr 20 11:30:53 atomic.zteam.biz automount[23741]: handle_mounts: mount of /net failed!
Apr 20 11:30:53 atomic.zteam.biz automount[23741]: master_do_mount: failed to startup mount
Apr 20 11:30:53 atomic.zteam.biz automount[23741]: do_mount_autofs_indirect: failed to create autofs directory /mnt/sshfs
Apr 20 11:30:53 atomic.zteam.biz automount[23741]: handle_mounts: mount of /mnt/sshfs failed!
Apr 20 11:30:53 atomic.zteam.biz automount[23741]: master_do_mount: failed to startup mount
Apr 20 11:30:53 atomic.zteam.biz systemd[1]: Started Automounts filesystems on demand.

ls -l /mnt/sshfs  is empty

Expected results:

ls -l /mnt/sshfs displays

dr-xr-xr-x. 2 root root 0 Apr 20 23:50 archive

and

ls -l /mnt/sshfs/archive  display remote filesystem


Additional info:

if I disable SELINUX with

setenforce 0

and then restart autofs

systemctl restart autofs

the automount works as expected.

Comment 1 Daniel Walsh 2018-04-21 11:12:13 UTC
What avc messages are you seeing.

ausearch -m avc -ts recent

Comment 2 wdouglascampbell 2018-04-22 00:48:07 UTC
I'm seeing this same message over and over again:

----
time->Sun Apr 22 08:46:36 2018
type=PROCTITLE msg=audit(1524357996.168:383131): proctitle=2F7573722F7362696E2F6175746F6D6F756E74002D2D666F726567726F756E64002D2D646F6E742D636865636B2D6461656D6F6E
type=SYSCALL msg=audit(1524357996.168:383131): arch=c000003e syscall=16 success=no exit=-13 a0=3 a1=c018937e a2=7f9a78001160 a3=0 items=0 ppid=1 pid=27780 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="automount" exe="/usr/sbin/automount" subj=system_u:system_r:automount_t:s0 key=(null)
type=AVC msg=audit(1524357996.168:383131): avc:  denied  { read } for  pid=27780 comm="automount" name="mnt" dev="dm-0" ino=23069192 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file permissive=0

Comment 3 Daniel Walsh 2018-04-23 19:48:42 UTC
Looks like you setup a symbolic link on /mnt?  And SELinux is now allowing automount to read it?  In stead of using a symbolic link could you mount the content on /mnt or bind mount it?

Comment 4 wdouglascampbell 2018-04-24 13:03:40 UTC
Thanks Dan!

Atomic sets up /mnt as a symbolic link to /var/mnt.  I just needed to adjust to configuration in auto.master to:

/var/mnt/sshfs /etc/auto.sshfs --timeout=30,--ghost


That fixed it.


Note You need to log in before you can comment on or make changes to this bug.