This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 211767 - SELinux blocks automatic mounting of ntfs partitions via ntfs-3g
SELinux blocks automatic mounting of ntfs partitions via ntfs-3g
Status: CLOSED DUPLICATE of bug 212507
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On: 213339
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-22 07:42 EDT by Dawid Gajownik
Modified: 2007-11-30 17:11 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-14 10:16:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dawid Gajownik 2006-10-22 07:42:55 EDT
Description of problem:
ntfs-3g package landed few days ago in Fedora Extras. Untortuantely, SElinux
blocks mounting of ntfs partitions:

Oct 22 13:22:24 X kernel: audit(1161516124.725:4): avc:  denied  { search } for
 pid=1259 comm="mount.ntfs-3g" scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
Oct 22 13:22:24 X kernel: audit(1161516124.725:5): avc:  denied  { search } for
 pid=1259 comm="mount.ntfs-3g" name="kernel" dev=proc ino=-268435417
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
Oct 22 13:22:24 X kernel: audit(1161516124.797:6): avc:  denied  { getattr } for
 pid=1259 comm="mount.ntfs-3g" name="fuse" dev=tmpfs ino=1296
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=chr_file
Oct 22 13:22:24 X kernel: audit(1161516124.865:7): avc:  denied  { read write }
for  pid=1260 comm="fusermount" name="fuse" dev=tmpfs ino=1296
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=chr_file
Oct 22 13:22:24 X kernel: audit(1161516124.949:8): avc:  denied  { getattr } for
 pid=1259 comm="mount.ntfs-3g" name="fuse" dev=tmpfs ino=1296
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=chr_file
Oct 22 13:22:24 X kernel: audit(1161516124.993:9): avc:  denied  { read write }
for  pid=1261 comm="fusermount" name="fuse" dev=tmpfs ino=1296
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=chr_file

I put into /etc/fstab this line:
/dev/hda10              /mnt/ntfs               ntfs-3g defaults        0 0

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.3.7-2.fc5

Additional info:
In permissove mode partition is being mounted without a problem.
Comment 1 Daniel Walsh 2006-10-26 09:36:01 EDT
You could add policy to allow this by executing 

audit2allow -M local < /var/log/audit/audit.log (or /var/log/messages)
Comment 2 Szabolcs Szakacsits 2006-10-29 20:34:32 EST
Hi. This is upstream. More and more people are reporting this problem to us. I
put  the severity to high. What info do you need for the fix?
Comment 3 Dawid Gajownik 2006-10-30 02:17:06 EST
Current discussion about this problem takes place on fedora-selinux-list:
https://www.redhat.com/archives/fedora-selinux-list/2006-October/msg00109.html
Comment 4 Tom "spot" Callaway 2006-10-30 13:30:10 EST
So... since selinux doesn't seem to accept identifiers with dashes... either
SELinux gets fixed to permit this (this is inevitably going to occur in all
sorts of other things) or we rename the Fedora package to use some other separator.

Is a . an acceptable separator?
Comment 5 Dawid Gajownik 2006-10-30 14:57:48 EST
(In reply to comment #4)
> or we rename the Fedora package to use some other separator.

Renaming the package will not fix the problem. SELinux checks *filesystem* type
specified in /etc/fstab (or somewhere else in /proc). Patching ntfs-3g to
support ntfs.3g filesystem will cause only havoc -- HOWTOs from other
distributions will not work on Fedora and people will complain like with gcc-2.96 :/

1° SELinux language should be fixed or
2° ntfs kernel module will die and ntfs-3g will become a standard, so ntfs
partition type will be handled by the 3rd generation driver (:
Comment 6 Szabolcs Szakacsits 2006-10-31 12:24:50 EST
Option 2 isn't ok in the short term. The kernel NTFS maintainer is the
undesputed owner of the 'ntfs' file system type and he plans to replace this
driver with a read-write one in the summer of 2007.

I also think that fixing SELinux would be the most reasonable solution.

Comment 7 Tomasz Kepczynski 2006-12-27 16:14:28 EST
I am no sure if this belongs here, in #216625, or in its own bug,
but I noticed that ntfs-3g also does not work under autofs.
When selinux is permissive then everything works OK.
Comment 8 Szabolcs Szakacsits 2007-01-02 18:39:39 EST
Could you please update us what's the status of this bug? This is one of the
most often reported ntfs-3g problem to upstream, people don't understand what's
going on and unfortunately we can't do anything about it. Though it's documented
but people just expect things to work and they believe the problem is in
ntfs-3g, not in SELinux.
Comment 9 Daniel Walsh 2007-01-05 16:12:16 EST
This should be fixed in the current update for RHEL5 and FC6
selinux-policy-2.4.6-23
Comment 10 Szabolcs Szakacsits 2007-01-07 14:50:47 EST
Thank you for the information. Some people reported success, some can't find
selinux-policy-2.4.6-23 anywhere. Could somebody please give an URL/etc for
download please?
Comment 11 Szabolcs Szakacsits 2007-01-07 18:26:53 EST
This is getting confusing. Bug report
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220732#c3
says selinux-policy-2.4.6-23.fc6 didn't help.
Comment 12 Habig, Alec 2007-01-10 00:57:30 EST
The new selinux updates are still in fedora-testing, so haven't been pushed to
most users.  However, after manually installing them (plus the new
libselinux-1.33.3-2 just in case) I can confirm that this does not let my
fstab'd ntfs-3g partition get mounted.  Selinux denies things as follows:

avc:  denied  { read w rite } for  pid=1642 comm="fusermount" name="fuse"
dev=tmpfs ino=1689 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=chr_file

I even did a "touch /.autorelabel" and rebooted to see if that helped.  No dice.

After the system starts, I can (and always have been) able to just say "mount
/dev/sda1" and that works just fine.

On shutdown, the usual unmounting of block devices step fails miserably on the
ntfs-3g partition, complaining that block devices are not allowed on this
filesystem.  This part might be unrelated, haven't investigated it more
carefully (and audit and syslog logging is shut down at that point so I've got
to be fast with a pencil to get the right error dump).
Comment 13 Daniel Walsh 2007-02-14 10:16:35 EST
All of these bugs should be fixed in FC6,  You could attempt to use the FC6
policy on FC5 or upgrade.  Or you could use 

audit2allow -M mypolicy -i /var/log/audit/audit.log 
and build local customized policy
Comment 14 Habig, Alec 2007-02-14 11:00:19 EST
Daniel - from comment #10 down, comments in this bug refer directly to the FC6
with updates, not FC5.  To be doubly sure, I just updated to today's packages to
see if the new kernel changed matters at all, and it did not.  selinux bocks
ntfs-3g from mounting things from fstab, and if one mounts it manually, horribly
denies the unmount on shutdown.  So, this bug most certainly exists on a fully
patched FC6 system, and should not be closed.

Perhaps it could be closed as a dupe of
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220732#c3 , but it's
certainly not solved.

BTW, are you aware that the default FC6 machine will get no automatic updates at
all due to https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212507 ?  That
one strikes me as brutally critical, but's gotten little developer attention -
no other bug which you fix will ever be solved for the average Fedora user, who
doesn't read bugzilla in order to learn he needs to do something manually!
Comment 15 Daniel Walsh 2007-02-14 15:11:22 EST
Sorry, I will close it as a dup.  I need to get an ntfs machine up and running
to try to work around this problem.  Hopefully now that RHEL5 is quieting down I
can get some time.

*** This bug has been marked as a duplicate of 212507 ***
Comment 16 Szabolcs Szakacsits 2007-02-14 17:18:29 EST
The SELinux problem can be reproduced on any pure Linux box this way:
http://www.ntfs-3g.org/quality.html#howtotest
Comment 17 Szabolcs Szakacsits 2007-02-14 17:30:23 EST
Daniel, you closed this bug as a duplicate of "yum-updatesd auto update feature
is broken" (bug 212507) but I guess you wanted "SELinux blocks unmounting
ntfs-3g volumes on shutdown or reboot" (bug 220732). Btw, there are a few more
dups too.
Comment 18 Daniel Walsh 2007-02-16 09:42:09 EST
I executed the commands in http://www.ntfs-3g.org/quality.html#howtotest with an
image file in rawhide, and I got no avc messages and everything worked.

Comment 19 Szabolcs Szakacsits 2007-02-16 20:35:37 EST
There is an important thing. People report this SELinux problem during boot and
shutdown. When the system is up then they are able to mount from the command
line, SELinux lets them.

I also think that it would be worth to test the block device scenario too since
that's the reported problematic case and the code paths can be quite different.
The swap partition could be reused temporarily for this, or a pen driver.
Comment 20 Szabolcs Szakacsits 2007-02-18 15:08:46 EST
I suspect SELinux also blocks ntfs-3g to load the FUSE kernel module if it's not
loaded yet and which is required to mount volumes. This could be one of the
explanations for the inconsistent reports.
Comment 21 Patrick Dietz 2007-03-13 09:01:04 EDT
Hi all,

I also have this problem, but can't fix it even if i use a full new clean 
install with last today selinux patch and do all tips and tricks in this 
article). I have several USB drives 6 gig, 200 gig and 500 gig (used with 
Windows XP as archive). it can't mount or unmont (i can see files on the 
drives). In Windows i can take ownership (but no button in the Linux world) and 
after 20 hours of failed stuff i think i want to kill the machine.

The touble shooter:

Selinux is preventing /bin/unmount (mount_t) to unlabled_t

SElinux denied access requested by bin/unmount. it is not expected that this 
access is required by /bin/unmount and this access may signal an intrusion 
attempt. it is also possible that the specific version or configuration of the 
application is causing it to require additional access.

Target Objects       None (system)
affected rpm package Utils-linux2.13.0.46.fc6 (application)
Policy RPM           Selinux-policy-2.4.6.42.fc6
Selinux enabled      true
Policy type          Targeted
Enforcing Mode       Permissive
Plugin Name          Pligins.catchall
Platform             Linux Localhost.localdomain 2.6.19.1.2911.6.5.fc6 #1 SMP 
SUN MAR 4 16:05:34 EST 2007 x86_64 x86_64


Also for Mount:

First (not handy that i can't copy paste from the screen :)

SELinux prevent /usr/bin/fusermount from mounting on the file or directory 
"MTAB.FUSELOCK" (Type "etc_t")

By default limits the mounting of filesystems to only some files or directories 
(those with types that have the mountpoint attribute). 

Allowing bla bla bla does also not do the trick

Best regards,

Patrick
 
Comment 22 Jochen Schmitt 2007-03-18 16:28:43 EDT
Hello, 

I have tried to examinate the described issue. The problem is, that ntfs-3g call
/sbin/modprobe fuse using the system() call. So the following should be done:

1.) The system() call should be replace by a patch, which I have sugguested in
BZ #232031.

2.) Whe must allow a transition to insmod_t when ntfs-3g call inmod_exec_t. On
my mind, this will touch policy/modules/system/mount.*

Best Regards:

Jochen Schmitt
Comment 23 Szabolcs Szakacsits 2007-03-18 17:16:39 EDT
Hi. Sorry, I can't check your patch because bug 232031 is not public. But feel
free to send me (szaka@sienet.hu) and if it's safe and has no side-effects then
I would happily apply it. This was planned at some point anyway but it wasn't
done since nobody complained about system().

Note You need to log in before you can comment on or make changes to this bug.