Description of problem: fuse changes security context of /etc/mtab when it mounts or umounts. which results in audit(1144746982.448:5): avc: denied { write } for pid=3273 comm="mount" name="mtab" dev=md0 ino=7014388 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:etc_t:s0 tclass=file when I try to unmount/mount a usb pen drive. and I also gets tons of avcs during shutdown. Version-Release number of selected component (if applicable): fuse-2.5.2-4.fc5 How reproducible: always! Steps to Reproduce: 1. mount anything using fuse (sshfs) 2. umount it,mount a usb pen drive 3. notice avcs 4. shutdown notice tons of avcs. Actual results: audit(1144746982.448:5): avc: denied { write } for pid=3273 comm="mount" name="mtab" dev=md0 ino=7014388 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:etc_t:s0 tclass=file and no mtab entry for new mounted devices. Expected results: it should not change the file context Additional info: selinux-policy-2.2.29-3.fc5 selinux-policy-targeted-2.2.29-3.fc5
I found the problem, fixed it and sent a patch upstream to the fuse-devel mailing list. fusermount was re-creating /etc/mtab on unmount, but it wasn't restoring the security context of the old file it was replacing.
I can confirm that its fixed ;)
This problem isn't fixed in packages in Extras for FC5 and FC6. Indeed the patch I submitted upstream has made it into the source used to build the packages, but the fusermount binary in the rpms built for the Extras repositories, doesn't contain the fix. The only explanation for that is that the build environment doesn't include the libselinux and libselinux-devel packages. Hence the fusermount binary never includes the selinux specific code. If I rebuild the src rpm as-is, I obtain a fusermount binary that includes the code and hence solves the problem. I suggest adding the following to the spec file: BuildRequires: libselinux, libselinux-devel This should definitely ensure the problem is solved.