189142 – Selinux interferes with some fuse functionality

Bug 189142 - Selinux interferes with some fuse functionality

Summary: Selinux interferes with some fuse functionality

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	fuse
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Peter Lemenkov
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	208278 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-04-17 16:42 UTC by Brian G. Anderson
Modified:	2008-09-29 05:59 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-09-29 05:59:04 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
selinux alert report (2.00 KB, text/plain) 2007-08-26 15:06 UTC, Adam Goode	no flags	Details
View All

Description Brian G. Anderson 2006-04-17 16:42:12 UTC

Description of problem:
I'm using encfs which I have mounted as "sudo encfs --public ~user/dir-enc
~user/dir" (see bug 189139 for why this has to be done as root).  I can copy
files into ~user/dir (cp ~user/foo ~user/dir), but when I try something like "mv
~user/foo ~user/dir"  I get a permissin denied.  

Selinux has given me a avc denied message:
type=AVC msg=audit(1145291675.646:2094): avc:  denied  { associate } for 
pid=24518 comm="mv" name="fuse.te" scontext=user_u:object_r:file_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem

audit2allow tells me I need to create a policy like this:
require {
        class filesystem associate;

        type file_t;
        type unlabeled_t;
};

allow file_t unlabeled_t:filesystem associate;


Version-Release number of selected component (if applicable):
fuse-2.5.2-4.fc5

How reproducible:
always


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:
file moves into fuse filesystems should be allowed by selinux policy 


Additional info:

Comment 1 Peter Lemenkov 2006-10-31 14:03:41 UTC

*** Bug 208278 has been marked as a duplicate of this bug. ***

Comment 2 Peter Lemenkov 2007-06-05 21:28:04 UTC

Please test with new version (2.6.5-2) whether this bug still exists.

Comment 3 Adam Goode 2007-08-26 15:04:31 UTC

This seems to happen still with selinux-policy-3.0.6-3.fc8.


$ sshfs ... fuse
$ cd fuse
$ touch foo
$ mv foo ~
mv: cannot create regular file `/home/adam/foo': Permission denied

Comment 4 Adam Goode 2007-08-26 15:06:28 UTC

Created attachment 173001 [details]
selinux alert report

Comment 5 Daniel Walsh 2007-08-27 13:21:33 UTC

Fixed in selinux-policy-3.0.7-1.fc8.

Comment 6 Jon Stanley 2008-04-23 20:28:34 UTC

Adding FutureFeature keyword to RFE's.

Note You need to log in before you can comment on or make changes to this bug.