Description of problem: On current rawhide, even after a full relabel, autofs refuses to start with enforcing targeted SELinux enabled. Version-Release number of selected component (if applicable): autofs-5.0.0_beta4-3 selinux-policy-targeted-2.2.43-3 How reproducible: 100% Steps to Reproduce: 1. Enable autofs. 2. Boot. Actual results: Lots of AVC errors, autofs fails to start. Expected results: autofs starts. Additional info: The AVC denials appear to be in two classes: a flood of what appear to be attempts to walk /proc: audit(1149519096.966:72): avc: denied { search } for pid=2401 comm="automount" name="2397" dev=proc ino=157089794 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir presumably when autofs is looking for an existing daemon to update/kill; and then an attempt to load the autofs kernel module: audit(1149519097.078:74): avc: denied { execute } for pid=2406 comm="automount" name="modprobe" dev=dm-5 ino=245865 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file Will append a full AVC log.
Created attachment 130508 [details] Kernel log of AVC denials
autofs should not be execing modprobe. If I have to allow autofs to do this, all bets are off. Things like modprobe should be done in the initscript not by the executable. It gives too much power to the application. Dan
This is fixed as of 4.1.4-9.
How on earth can a bug in autofs-5.0.0_beta4-3 be fixed in version 4.1.4-9? autofs still will not start in enforcing mode current rawhide after a full relabel: autofs-5.0.0_beta4-10 kernel-2.6.16-1.2273_FC6 selinux-policy-targeted-2.2.46-2 Latest AVC denials on attempting it: Starting automount: audit(1150320735.957:8): avc: denied { sys_admin } for pid=2223 comm="automount" capability=21 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:system_r:automount_t:s0 tclass=capability audit(1150320736.097:9): avc: denied { sys_admin } for pid=2226 comm="automount" capability=21 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:system_r:automount_t:s0 tclass=capability audit(1150320736.177:10): avc: denied { mounton } for pid=2229 comm="automount" name="local" dev=dm-8 ino=1245185 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir audit(1150320736.281:11): avc: denied { mounton } for pid=2230 comm="automount" name="home" dev=dm-8 ino=851969 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir [root ~]# service autofs start Starting automount: [FAILED] [root ~]# service autofs start Starting automount: [FAILED] [root ~]# setenforce 0 [root ~]# service autofs start Starting automount: [ OK ] [root ~]# But at least the "modprobe" is gone, and the remaining denials look like policy problems: reassigning.
Fixed in selinux-policy-targeted-2.2.47-1