Description of problem: ntfs-3g package landed few days ago in Fedora Extras. Untortuantely, SElinux blocks mounting of ntfs partitions: Oct 22 13:22:24 X kernel: audit(1161516124.725:4): avc: denied { search } for pid=1259 comm="mount.ntfs-3g" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir Oct 22 13:22:24 X kernel: audit(1161516124.725:5): avc: denied { search } for pid=1259 comm="mount.ntfs-3g" name="kernel" dev=proc ino=-268435417 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir Oct 22 13:22:24 X kernel: audit(1161516124.797:6): avc: denied { getattr } for pid=1259 comm="mount.ntfs-3g" name="fuse" dev=tmpfs ino=1296 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file Oct 22 13:22:24 X kernel: audit(1161516124.865:7): avc: denied { read write } for pid=1260 comm="fusermount" name="fuse" dev=tmpfs ino=1296 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file Oct 22 13:22:24 X kernel: audit(1161516124.949:8): avc: denied { getattr } for pid=1259 comm="mount.ntfs-3g" name="fuse" dev=tmpfs ino=1296 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file Oct 22 13:22:24 X kernel: audit(1161516124.993:9): avc: denied { read write } for pid=1261 comm="fusermount" name="fuse" dev=tmpfs ino=1296 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file I put into /etc/fstab this line: /dev/hda10 /mnt/ntfs ntfs-3g defaults 0 0 Version-Release number of selected component (if applicable): selinux-policy-targeted-2.3.7-2.fc5 Additional info: In permissove mode partition is being mounted without a problem.
You could add policy to allow this by executing audit2allow -M local < /var/log/audit/audit.log (or /var/log/messages)
Hi. This is upstream. More and more people are reporting this problem to us. I put the severity to high. What info do you need for the fix?
Current discussion about this problem takes place on fedora-selinux-list: https://www.redhat.com/archives/fedora-selinux-list/2006-October/msg00109.html
So... since selinux doesn't seem to accept identifiers with dashes... either SELinux gets fixed to permit this (this is inevitably going to occur in all sorts of other things) or we rename the Fedora package to use some other separator. Is a . an acceptable separator?
(In reply to comment #4) > or we rename the Fedora package to use some other separator. Renaming the package will not fix the problem. SELinux checks *filesystem* type specified in /etc/fstab (or somewhere else in /proc). Patching ntfs-3g to support ntfs.3g filesystem will cause only havoc -- HOWTOs from other distributions will not work on Fedora and people will complain like with gcc-2.96 :/ 1° SELinux language should be fixed or 2° ntfs kernel module will die and ntfs-3g will become a standard, so ntfs partition type will be handled by the 3rd generation driver (:
Option 2 isn't ok in the short term. The kernel NTFS maintainer is the undesputed owner of the 'ntfs' file system type and he plans to replace this driver with a read-write one in the summer of 2007. I also think that fixing SELinux would be the most reasonable solution.
I am no sure if this belongs here, in #216625, or in its own bug, but I noticed that ntfs-3g also does not work under autofs. When selinux is permissive then everything works OK.
Could you please update us what's the status of this bug? This is one of the most often reported ntfs-3g problem to upstream, people don't understand what's going on and unfortunately we can't do anything about it. Though it's documented but people just expect things to work and they believe the problem is in ntfs-3g, not in SELinux.
This should be fixed in the current update for RHEL5 and FC6 selinux-policy-2.4.6-23
Thank you for the information. Some people reported success, some can't find selinux-policy-2.4.6-23 anywhere. Could somebody please give an URL/etc for download please?
This is getting confusing. Bug report https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220732#c3 says selinux-policy-2.4.6-23.fc6 didn't help.
The new selinux updates are still in fedora-testing, so haven't been pushed to most users. However, after manually installing them (plus the new libselinux-1.33.3-2 just in case) I can confirm that this does not let my fstab'd ntfs-3g partition get mounted. Selinux denies things as follows: avc: denied { read w rite } for pid=1642 comm="fusermount" name="fuse" dev=tmpfs ino=1689 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=chr_file I even did a "touch /.autorelabel" and rebooted to see if that helped. No dice. After the system starts, I can (and always have been) able to just say "mount /dev/sda1" and that works just fine. On shutdown, the usual unmounting of block devices step fails miserably on the ntfs-3g partition, complaining that block devices are not allowed on this filesystem. This part might be unrelated, haven't investigated it more carefully (and audit and syslog logging is shut down at that point so I've got to be fast with a pencil to get the right error dump).
All of these bugs should be fixed in FC6, You could attempt to use the FC6 policy on FC5 or upgrade. Or you could use audit2allow -M mypolicy -i /var/log/audit/audit.log and build local customized policy
Daniel - from comment #10 down, comments in this bug refer directly to the FC6 with updates, not FC5. To be doubly sure, I just updated to today's packages to see if the new kernel changed matters at all, and it did not. selinux bocks ntfs-3g from mounting things from fstab, and if one mounts it manually, horribly denies the unmount on shutdown. So, this bug most certainly exists on a fully patched FC6 system, and should not be closed. Perhaps it could be closed as a dupe of https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220732#c3 , but it's certainly not solved. BTW, are you aware that the default FC6 machine will get no automatic updates at all due to https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212507 ? That one strikes me as brutally critical, but's gotten little developer attention - no other bug which you fix will ever be solved for the average Fedora user, who doesn't read bugzilla in order to learn he needs to do something manually!
Sorry, I will close it as a dup. I need to get an ntfs machine up and running to try to work around this problem. Hopefully now that RHEL5 is quieting down I can get some time. *** This bug has been marked as a duplicate of 212507 ***
The SELinux problem can be reproduced on any pure Linux box this way: http://www.ntfs-3g.org/quality.html#howtotest
Daniel, you closed this bug as a duplicate of "yum-updatesd auto update feature is broken" (bug 212507) but I guess you wanted "SELinux blocks unmounting ntfs-3g volumes on shutdown or reboot" (bug 220732). Btw, there are a few more dups too.
I executed the commands in http://www.ntfs-3g.org/quality.html#howtotest with an image file in rawhide, and I got no avc messages and everything worked.
There is an important thing. People report this SELinux problem during boot and shutdown. When the system is up then they are able to mount from the command line, SELinux lets them. I also think that it would be worth to test the block device scenario too since that's the reported problematic case and the code paths can be quite different. The swap partition could be reused temporarily for this, or a pen driver.
I suspect SELinux also blocks ntfs-3g to load the FUSE kernel module if it's not loaded yet and which is required to mount volumes. This could be one of the explanations for the inconsistent reports.
Hi all, I also have this problem, but can't fix it even if i use a full new clean install with last today selinux patch and do all tips and tricks in this article). I have several USB drives 6 gig, 200 gig and 500 gig (used with Windows XP as archive). it can't mount or unmont (i can see files on the drives). In Windows i can take ownership (but no button in the Linux world) and after 20 hours of failed stuff i think i want to kill the machine. The touble shooter: Selinux is preventing /bin/unmount (mount_t) to unlabled_t SElinux denied access requested by bin/unmount. it is not expected that this access is required by /bin/unmount and this access may signal an intrusion attempt. it is also possible that the specific version or configuration of the application is causing it to require additional access. Target Objects None (system) affected rpm package Utils-linux2.13.0.46.fc6 (application) Policy RPM Selinux-policy-2.4.6.42.fc6 Selinux enabled true Policy type Targeted Enforcing Mode Permissive Plugin Name Pligins.catchall Platform Linux Localhost.localdomain 2.6.19.1.2911.6.5.fc6 #1 SMP SUN MAR 4 16:05:34 EST 2007 x86_64 x86_64 Also for Mount: First (not handy that i can't copy paste from the screen :) SELinux prevent /usr/bin/fusermount from mounting on the file or directory "MTAB.FUSELOCK" (Type "etc_t") By default limits the mounting of filesystems to only some files or directories (those with types that have the mountpoint attribute). Allowing bla bla bla does also not do the trick Best regards, Patrick
Hello, I have tried to examinate the described issue. The problem is, that ntfs-3g call /sbin/modprobe fuse using the system() call. So the following should be done: 1.) The system() call should be replace by a patch, which I have sugguested in BZ #232031. 2.) Whe must allow a transition to insmod_t when ntfs-3g call inmod_exec_t. On my mind, this will touch policy/modules/system/mount.* Best Regards: Jochen Schmitt
Hi. Sorry, I can't check your patch because bug 232031 is not public. But feel free to send me (szaka) and if it's safe and has no side-effects then I would happily apply it. This was planned at some point anyway but it wasn't done since nobody complained about system().