Bug 212665 - setroubleshoot incorrectly identifies autofs denial as file context problem
setroubleshoot incorrectly identifies autofs denial as file context problem
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: setroubleshoot-plugins (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-27 17:48 EDT by Need Real Name
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 1.5-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-28 11:03:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2006-10-27 17:48:41 EDT
Description of problem:
SELinux denied access to mount to automount a remote nfs share via autofs. This
is being fixed via a forthcoming policy update, but sealert incorrectly reported
this as a file/directory context problem.

The following avc denial was noted:

avc: denied { create } for comm='"mount.nfs"' egid='0' euid='0'
exe='"/sbin/mount.nfs"' exit='-13' fsgid='0' fsuid='0' gid='0' items='0'
pid='21645' scontext=system_u:system_r:mount_t:s0 sgid='0'
subj='system_u:system_r:mount_t:s0' suid='0' tclass='netlink_route_socket'
tcontext=system_u:system_r:mount_t:s0 tty='(none)' uid='0'

This denial doesn't occur always, most predictably on a second or third mount
from the same host. The hypothesis for this is that automount may not always
read the route table on every mount.

The denial is being addressed, however, setroubleshoot/sealert incorrectly
analysed this as:

"SELinux prevented /sbin/mount.nfs from mounting a filesystem on the file or
directory "" of type "mount_t". By default SELinux limits the mounting of
filesystems to only some files or directories (those with types that have the
mountpoint attribute). The type "mount_t" does not have this attribute. You can
either relabel the file or directory or set the boolean "allow_mount_anyfile" to
true to allow mounting on any file or directory."

Version-Release number of selected component (if applicable):
setroubleshoot-1.0-1
selinux-policy-targeted-2.3.18-10
nfs-utils-1.0.9-8.fc6
autofs-5.0.1-0.rc2.17
kernel-2.6.18-1.2798.fc6

How reproducible:
Mostly, not always: most predictably on a second or third mount from the same host.

Steps to Reproduce:
1. Set up an automount from a remote nfs server.
2. Access the /auto/ mountpoint.
3. Wait for sealert analysis of error.
  
Actual results:
Warning about file context.

Expected results:
Warning about... something else.

Additional info:
Comment 1 Daniel Walsh 2006-11-08 11:52:37 EST
Fixed in setroubleshoot-1.5-1

Note You need to log in before you can comment on or make changes to this bug.