Bug 189142 - Selinux interferes with some fuse functionality
Summary: Selinux interferes with some fuse functionality
Alias: None
Product: Fedora
Classification: Fedora
Component: fuse
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Peter Lemenkov
QA Contact: Fedora Extras Quality Assurance
: 208278 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2006-04-17 16:42 UTC by Brian G. Anderson
Modified: 2008-09-29 05:59 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2008-09-29 05:59:04 UTC

Attachments (Terms of Use)
selinux alert report (2.00 KB, text/plain)
2007-08-26 15:06 UTC, Adam Goode
no flags Details

Description Brian G. Anderson 2006-04-17 16:42:12 UTC
Description of problem:
I'm using encfs which I have mounted as "sudo encfs --public ~user/dir-enc
~user/dir" (see bug 189139 for why this has to be done as root).  I can copy
files into ~user/dir (cp ~user/foo ~user/dir), but when I try something like "mv
~user/foo ~user/dir"  I get a permissin denied.  

Selinux has given me a avc denied message:
type=AVC msg=audit(1145291675.646:2094): avc:  denied  { associate } for 
pid=24518 comm="mv" name="fuse.te" scontext=user_u:object_r:file_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem

audit2allow tells me I need to create a policy like this:
require {
        class filesystem associate;

        type file_t;
        type unlabeled_t;

allow file_t unlabeled_t:filesystem associate;

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:
file moves into fuse filesystems should be allowed by selinux policy 

Additional info:

Comment 1 Peter Lemenkov 2006-10-31 14:03:41 UTC
*** Bug 208278 has been marked as a duplicate of this bug. ***

Comment 2 Peter Lemenkov 2007-06-05 21:28:04 UTC
Please test with new version (2.6.5-2) whether this bug still exists.

Comment 3 Adam Goode 2007-08-26 15:04:31 UTC
This seems to happen still with selinux-policy-3.0.6-3.fc8.

$ sshfs ... fuse
$ cd fuse
$ touch foo
$ mv foo ~
mv: cannot create regular file `/home/adam/foo': Permission denied

Comment 4 Adam Goode 2007-08-26 15:06:28 UTC
Created attachment 173001 [details]
selinux alert report

Comment 5 Daniel Walsh 2007-08-27 13:21:33 UTC
Fixed in selinux-policy-3.0.7-1.fc8.

Comment 6 Jon Stanley 2008-04-23 20:28:34 UTC
Adding FutureFeature keyword to RFE's.

Note You need to log in before you can comment on or make changes to this bug.