1869028 – units with private mount namespaces (like cockpit.service) fail with exfat volume mounted: avc: denied { remount }

Bug 1869028 - units with private mount namespaces (like cockpit.service) fail with exfat volume mounted: avc: denied { remount }

Summary: units with private mount namespaces (like cockpit.service) fail with exfat vo...

Keywords:
Status:	CLOSED DUPLICATE of bug 1874836
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	32
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-08-15 15:41 UTC by Jason Montleon
Modified:	2020-09-09 07:18 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2020-09-09 07:18:15 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jason Montleon 2020-08-15 15:41:29 UTC

Description of problem:
cockpit fails with an exfat volume mounted

Version-Release number of selected component (if applicable):
cockpit-225-1.fc32.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install Fedora 32 with cockpit
2. Mount an exfat volume under /mnt
3. Try to connect to cockpit

Actual results:
page is unavailable. Further investigation shows the service failed.

Expected results:
Cockpit works.

Additional info:
The errors are:
systemd[9510]: cockpit.service: Failed to set up mount namespacing: /run/systemd/unit-root/: Permission denied
systemd[9510]: cockpit.service: Failed at step NAMESPACE spawning /usr/libexec/cockpit-tls: Permission denied

# systemctl -t service | grep cockpit
● cockpit.service                                       loaded failed failed  Cockpit Web Service                                                          
# umount /mnt
# systemctl restart cockpit
# systemctl -t service | grep cockpit
  cockpit.service                                       loaded active running Cockpit Web Service                                                          
# mount /dev/sdi1 /mnt
# systemctl restart cockpit
# systemctl -t service | grep cockpit
● cockpit.service                                       loaded failed failed  Cockpit Web Service

Comment 1 Jason Montleon 2020-08-15 15:45:38 UTC

selinux denials:
type=AVC msg=audit(1597504784.924:3423): avc:  denied  { remount } for  pid=7794 comm="(kpit-tls)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=0

# audit2allow -m cockpit-custom < cockpit-custom.log 

module cockpit-custom 1.0;

require {
	type unlabeled_t;
	type init_t;
	class filesystem remount;
}

#============= init_t ==============
allow init_t unlabeled_t:filesystem remount;

Comment 2 Martin Pitt 2020-09-09 06:45:55 UTC

I can reproduce this perfectly well, thanks for the report!

Reproducer for creating exfat volume:

dnf install https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-32.noarch.rpm
dnf install -y exfat-utils
modprobe scsi_debug dev_size_mb=100
mkfs.exfat /dev/sda   # make TRIPLE SURE that this is the scsi_debug disk, not a real one!

Then,

mount /dev/sda /mnt
systemctl start cockpit

reproduces the bug.

This already happens in systemd, as it tries to set up a private mount namespace due to 

ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true

This is a legitimate operation in systemd, so it should be supported in the SELinux policy.


selinux-policy-3.14.5-43.fc32.noarch
systemd-245.7-1.fc32.x86_64

Comment 3 Zdenek Pytela 2020-09-09 07:18:15 UTC


*** This bug has been marked as a duplicate of bug 1874836 ***

Note You need to log in before you can comment on or make changes to this bug.