Bug 1874836 - SELinux is preventing (-localed) from remount access on the filesystem while exfat drive is mounted
Summary: SELinux is preventing (-localed) from remount access on the filesystem while ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 32
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1869028 1869039 1875027 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-02 11:39 UTC by mershl
Modified: 2020-10-05 17:32 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.14.5-44.fc32
Clone Of:
Environment:
Last Closed: 2020-10-05 17:32:43 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description mershl 2020-09-02 11:39:26 UTC 
Description of problem:
SELinux denies remount access for localed while exfat drive is mounted resulting in relying software failing.

Version-Release number of selected component:
selinux-policy-3.14.5-43.fc32.noarch

How reproducible:
Every time.

Steps to Reproduce:
1. Connect exfat drive. Automounted. See /etc/mtab below.
2. Open gnome-settings.
3. Switch to About tab.
4. SELinux denials are visible (remount access denied for localed).

Actual results:
setroubleshoot shows: "SELinux is preventing (-localed) from remount access on the filesystem."
localed.service is failing while in Enforcing mode.

Expected results:
localed.service start without errors. No SELinux denials.

/etc/mtab:
/dev/sde2 /run/media/mershl/MyPassport exfat rw,nosuid,nodev,relatime,uid=1000,gid=1000,fmask=0022,dmask=0022,iocharset=utf8,errors=remount-ro 0 0
Comment 1 Zdenek Pytela 2020-09-02 12:36:40 UTC 
Hi,

Could you show the actual AVC denials?

  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err

I suppose this is related:
https://github.com/fedora-selinux/selinux-policy/pull/425
Comment 2 Timothée Ravier 2020-09-02 13:17:16 UTC 
It is indeed related as a first try/guess to fixing the issue :).
Comment 3 mershl 2020-09-02 13:47:15 UTC 
Hi,

Filtered to the last 8 denials:

# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err
 
type=AVC msg=audit(02.09.2020 12:19:42.601:283) : avc:  denied  { remount } for  pid=7820 comm=(geoclue) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=0 
----
type=AVC msg=audit(02.09.2020 12:19:42.874:287) : avc:  denied  { remount } for  pid=7963 comm=(ostnamed) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=0 
----
type=AVC msg=audit(02.09.2020 12:23:12.549:239) : avc:  denied  { remount } for  pid=6680 comm=(-localed) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=0 
----
type=AVC msg=audit(02.09.2020 12:33:27.634:235) : avc:  denied  { remount } for  pid=7790 comm=(ostnamed) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(02.09.2020 12:43:02.530:265) : avc:  denied  { remount } for  pid=11154 comm=(ostnamed) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(02.09.2020 12:45:15.953:215) : avc:  denied  { remount } for  pid=6834 comm=(imedated) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(02.09.2020 15:42:54.752:232) : avc:  denied  { remount } for  pid=7007 comm=(ostnamed) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(02.09.2020 15:43:47.543:247) : avc:  denied  { remount } for  pid=7661 comm=(ostnamed) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
Comment 4 Zdenek Pytela 2020-09-03 04:53:14 UTC 
*** Bug 1875027 has been marked as a duplicate of this bug. ***
Comment 5 Zdenek Pytela 2020-09-09 07:18:15 UTC 
*** Bug 1869028 has been marked as a duplicate of this bug. ***
Comment 6 Jason Montleon 2020-09-09 17:31:30 UTC 
*** Bug 1869039 has been marked as a duplicate of this bug. ***
Comment 7 Zdenek Pytela 2020-09-21 14:51:43 UTC 
commit 192d78550f4e832be2ce4be66d0f84d3bf61304a (HEAD -> f32, upstream/f32)
Author: Timothée Ravier <travier>
Date:   Wed Sep 2 13:28:32 2020 +0200

    kernel/filesystem: Add exfat support (no extended attributes)
    
    According to [1], the exfat filesystem does not support extended
    attributes so it should be handled like fat/vfat/ntfs.
    
    [1] https://en.wikipedia.org/wiki/Comparison_of_file_systems
    
    Resolves: rhbz#1874836
Comment 8 Fedora Update System 2020-10-02 07:03:49 UTC 
FEDORA-2020-9896f80cf0 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0
Comment 9 Fedora Update System 2020-10-03 02:09:07 UTC 
FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-9896f80cf0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2020-10-05 17:32:43 UTC 
FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.