Bug 194061 - autofs fails to start with selinux in enforcing mode
autofs fails to start with selinux in enforcing mode
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-05 10:53 EDT by Stephen Tweedie
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-06-15 18:35:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Kernel log of AVC denials (13.56 KB, text/plain)
2006-06-05 10:55 EDT, Stephen Tweedie
no flags Details

  None (edit)
Description Stephen Tweedie 2006-06-05 10:53:50 EDT
Description of problem:
On current rawhide, even after a full relabel, autofs refuses to start with
enforcing targeted SELinux enabled.

Version-Release number of selected component (if applicable):
autofs-5.0.0_beta4-3
selinux-policy-targeted-2.2.43-3

How reproducible:
100%

Steps to Reproduce:
1. Enable autofs.
2. Boot.
  
Actual results:
Lots of AVC errors, autofs fails to start.

Expected results:
autofs starts.

Additional info:
The AVC denials appear to be in two classes: a flood of what appear to be
attempts to walk /proc:

audit(1149519096.966:72): avc:  denied  { search } for  pid=2401
comm="automount" name="2397" dev=proc ino=157089794
scontext=system_u:system_r:automount_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=dir

presumably when autofs is looking for an existing daemon to update/kill; and
then an attempt to load the autofs kernel module:

audit(1149519097.078:74): avc:  denied  { execute } for  pid=2406
comm="automount" name="modprobe" dev=dm-5 ino=245865
scontext=system_u:system_r:automount_t:s0
tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file

Will append a full AVC log.
Comment 1 Stephen Tweedie 2006-06-05 10:55:41 EDT
Created attachment 130508 [details]
Kernel log of AVC denials
Comment 2 Daniel Walsh 2006-06-06 15:43:54 EDT
autofs should not be execing modprobe.  If I have to allow autofs to do this,
all bets are off.  Things like modprobe should be done in the initscript not by
the executable.  It gives too much power to the application.

Dan
Comment 3 Jeffrey Moyer 2006-06-14 15:46:29 EDT
This is fixed as of 4.1.4-9.
Comment 4 Stephen Tweedie 2006-06-14 17:30:33 EDT
How on earth can a bug in autofs-5.0.0_beta4-3 be fixed in version 4.1.4-9?

autofs still will not start in enforcing mode current rawhide after a full relabel:
autofs-5.0.0_beta4-10
kernel-2.6.16-1.2273_FC6
selinux-policy-targeted-2.2.46-2

Latest AVC denials on attempting it:

Starting automount: audit(1150320735.957:8): avc:  denied  { sys_admin } for 
pid=2223 comm="automount" capability=21
scontext=system_u:system_r:automount_t:s0
tcontext=system_u:system_r:automount_t:s0 tclass=capability
audit(1150320736.097:9): avc:  denied  { sys_admin } for  pid=2226
comm="automount" capability=21 scontext=system_u:system_r:automount_t:s0
tcontext=system_u:system_r:automount_t:s0 tclass=capability
audit(1150320736.177:10): avc:  denied  { mounton } for  pid=2229
comm="automount" name="local" dev=dm-8 ino=1245185
scontext=system_u:system_r:automount_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=dir
audit(1150320736.281:11): avc:  denied  { mounton } for  pid=2230
comm="automount" name="home" dev=dm-8 ino=851969
scontext=system_u:system_r:automount_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir

[root ~]# service autofs start
Starting automount:                                        [FAILED]
[root ~]# service autofs start
Starting automount:                                        [FAILED]
[root ~]# setenforce 0
[root ~]# service autofs start
Starting automount:                                        [  OK  ]
[root ~]#

But at least the "modprobe" is gone, and the remaining denials look like policy
problems: reassigning.
Comment 5 Daniel Walsh 2006-06-15 18:35:33 EDT
Fixed in selinux-policy-targeted-2.2.47-1

Note You need to log in before you can comment on or make changes to this bug.