Bug 194061 - autofs fails to start with selinux in enforcing mode
Summary: autofs fails to start with selinux in enforcing mode
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Keywords: Reopened
Depends On:
TreeView+ depends on / blocked
Reported: 2006-06-05 14:53 UTC by Stephen Tweedie
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-06-15 22:35:33 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Kernel log of AVC denials (13.56 KB, text/plain)
2006-06-05 14:55 UTC, Stephen Tweedie
no flags Details

Description Stephen Tweedie 2006-06-05 14:53:50 UTC
Description of problem:
On current rawhide, even after a full relabel, autofs refuses to start with
enforcing targeted SELinux enabled.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Enable autofs.
2. Boot.
Actual results:
Lots of AVC errors, autofs fails to start.

Expected results:
autofs starts.

Additional info:
The AVC denials appear to be in two classes: a flood of what appear to be
attempts to walk /proc:

audit(1149519096.966:72): avc:  denied  { search } for  pid=2401
comm="automount" name="2397" dev=proc ino=157089794
scontext=system_u:system_r:automount_t:s0 tcontext=system_u:system_r:initrc_t:s0

presumably when autofs is looking for an existing daemon to update/kill; and
then an attempt to load the autofs kernel module:

audit(1149519097.078:74): avc:  denied  { execute } for  pid=2406
comm="automount" name="modprobe" dev=dm-5 ino=245865
tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file

Will append a full AVC log.

Comment 1 Stephen Tweedie 2006-06-05 14:55:41 UTC
Created attachment 130508 [details]
Kernel log of AVC denials

Comment 2 Daniel Walsh 2006-06-06 19:43:54 UTC
autofs should not be execing modprobe.  If I have to allow autofs to do this,
all bets are off.  Things like modprobe should be done in the initscript not by
the executable.  It gives too much power to the application.


Comment 3 Jeff Moyer 2006-06-14 19:46:29 UTC
This is fixed as of 4.1.4-9.

Comment 4 Stephen Tweedie 2006-06-14 21:30:33 UTC
How on earth can a bug in autofs-5.0.0_beta4-3 be fixed in version 4.1.4-9?

autofs still will not start in enforcing mode current rawhide after a full relabel:

Latest AVC denials on attempting it:

Starting automount: audit(1150320735.957:8): avc:  denied  { sys_admin } for 
pid=2223 comm="automount" capability=21
tcontext=system_u:system_r:automount_t:s0 tclass=capability
audit(1150320736.097:9): avc:  denied  { sys_admin } for  pid=2226
comm="automount" capability=21 scontext=system_u:system_r:automount_t:s0
tcontext=system_u:system_r:automount_t:s0 tclass=capability
audit(1150320736.177:10): avc:  denied  { mounton } for  pid=2229
comm="automount" name="local" dev=dm-8 ino=1245185
tcontext=system_u:object_r:default_t:s0 tclass=dir
audit(1150320736.281:11): avc:  denied  { mounton } for  pid=2230
comm="automount" name="home" dev=dm-8 ino=851969
tcontext=system_u:object_r:home_root_t:s0 tclass=dir

[root ~]# service autofs start
Starting automount:                                        [FAILED]
[root ~]# service autofs start
Starting automount:                                        [FAILED]
[root ~]# setenforce 0
[root ~]# service autofs start
Starting automount:                                        [  OK  ]
[root ~]#

But at least the "modprobe" is gone, and the remaining denials look like policy
problems: reassigning.

Comment 5 Daniel Walsh 2006-06-15 22:35:33 UTC
Fixed in selinux-policy-targeted-2.2.47-1

Note You need to log in before you can comment on or make changes to this bug.