Bug 188561 - fuse changes security context of /etc/mtab
fuse changes security context of /etc/mtab
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: fuse (Show other bugs)
5
All Linux
medium Severity high
: ---
: ---
Assigned To: Peter Lemenkov
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-11 05:16 EDT by drago01
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: fuse-2.6.3-1.fc6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-09 06:03:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description drago01 2006-04-11 05:16:40 EDT
Description of problem:
fuse changes security context of /etc/mtab when it mounts or umounts.
which results in 
audit(1144746982.448:5): avc:  denied  { write } for  pid=3273 comm="mount"
name="mtab" dev=md0 ino=7014388 scontext=system_u:system_r:mount_t:s0
tcontext=user_u:object_r:etc_t:s0 tclass=file
when I try to unmount/mount a usb pen drive.
and I also gets tons of avcs during shutdown.

Version-Release number of selected component (if applicable):
fuse-2.5.2-4.fc5

How reproducible:
always!

Steps to Reproduce:
1. mount anything using fuse (sshfs)
2. umount it,mount a usb pen drive
3. notice avcs
4. shutdown notice tons of avcs.
  
Actual results:
audit(1144746982.448:5): avc:  denied  { write } for  pid=3273 comm="mount"
name="mtab" dev=md0 ino=7014388 scontext=system_u:system_r:mount_t:s0
tcontext=user_u:object_r:etc_t:s0 tclass=file
and no mtab entry for new mounted devices.

Expected results:

it should not change the file context

Additional info:
selinux-policy-2.2.29-3.fc5
selinux-policy-targeted-2.2.29-3.fc5
Comment 1 Yves Perrenoud 2006-07-27 13:49:43 EDT
I found the problem, fixed it and sent a patch upstream to the fuse-devel
mailing list. fusermount was re-creating /etc/mtab on unmount, but it wasn't
restoring the security context of the old file it was replacing.
Comment 2 drago01 2007-02-09 06:03:44 EST
I can confirm that its fixed ;)
Comment 3 Yves Perrenoud 2007-03-26 07:14:02 EDT
This problem isn't fixed in packages in Extras for FC5 and FC6. Indeed the patch
I submitted upstream has made it into the source used to build the packages, but
the fusermount binary in the rpms built for the Extras repositories, doesn't
contain the fix. The only explanation for that is that the build environment
doesn't include the libselinux and libselinux-devel packages. Hence the
fusermount binary never includes the selinux specific code.

If I rebuild the src rpm as-is, I obtain a fusermount binary that includes the
code and hence solves the problem.

I suggest adding the following to the spec file:

BuildRequires: libselinux, libselinux-devel

This should definitely ensure the problem is solved.

Note You need to log in before you can comment on or make changes to this bug.