Bug 189142 - Selinux interferes with some fuse functionality
Selinux interferes with some fuse functionality
Product: Fedora
Classification: Fedora
Component: fuse (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Peter Lemenkov
Fedora Extras Quality Assurance
: FutureFeature
: 208278 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2006-04-17 12:42 EDT by Brian G. Anderson
Modified: 2008-09-29 01:59 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-09-29 01:59:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
selinux alert report (2.00 KB, text/plain)
2007-08-26 11:06 EDT, Adam Goode
no flags Details

  None (edit)
Description Brian G. Anderson 2006-04-17 12:42:12 EDT
Description of problem:
I'm using encfs which I have mounted as "sudo encfs --public ~user/dir-enc
~user/dir" (see bug 189139 for why this has to be done as root).  I can copy
files into ~user/dir (cp ~user/foo ~user/dir), but when I try something like "mv
~user/foo ~user/dir"  I get a permissin denied.  

Selinux has given me a avc denied message:
type=AVC msg=audit(1145291675.646:2094): avc:  denied  { associate } for 
pid=24518 comm="mv" name="fuse.te" scontext=user_u:object_r:file_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem

audit2allow tells me I need to create a policy like this:
require {
        class filesystem associate;

        type file_t;
        type unlabeled_t;

allow file_t unlabeled_t:filesystem associate;

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:
file moves into fuse filesystems should be allowed by selinux policy 

Additional info:
Comment 1 Peter Lemenkov 2006-10-31 09:03:41 EST
*** Bug 208278 has been marked as a duplicate of this bug. ***
Comment 2 Peter Lemenkov 2007-06-05 17:28:04 EDT
Please test with new version (2.6.5-2) whether this bug still exists.
Comment 3 Adam Goode 2007-08-26 11:04:31 EDT
This seems to happen still with selinux-policy-3.0.6-3.fc8.

$ sshfs ... fuse
$ cd fuse
$ touch foo
$ mv foo ~
mv: cannot create regular file `/home/adam/foo': Permission denied

Comment 4 Adam Goode 2007-08-26 11:06:28 EDT
Created attachment 173001 [details]
selinux alert report
Comment 5 Daniel Walsh 2007-08-27 09:21:33 EDT
Fixed in selinux-policy-3.0.7-1.fc8.
Comment 6 Jon Stanley 2008-04-23 16:28:34 EDT
Adding FutureFeature keyword to RFE's.

Note You need to log in before you can comment on or make changes to this bug.