Description of problem: SELinux prevents ntfs-3g from being mounted at boot. Version-Release number of selected component (if applicable): fuse-2.5.3 ntfs-3g-0-0.5.20070920 How reproducible: Always Steps to Reproduce: 1. Insert a NTFS filesystem line in /etc/fstab as such: /dev/sda2 /xp/c ntfs-3g uid=500,gid=500 0 0 2. Reboot 3. Actual results: Filesystem not mounted, /var/log/messages contains a SELinux error message: Nov 20 23:05:53 localhost kernel: audit(1164060319.334:8): avc: denied { execute_no_trans } for pid=1836 comm="mount.ntfs-3g" name="fusermount" dev=sda3 ino=3116154 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file Expected results: The filesystem should be mounted. Additional info: sudo mount /xp/c works perfectly. The problem only appears at boot.
I can confirm that. Trying to mount an NTFS partition with ntfs-3g via fstab is not possible while mounting manually works well.
Fixed in selinux-policy-2.4.5-3.fc6
The problem still occurs Logged: Dec 1 21:25:43 localhost kernel: audit(1165004740.658:1854): avc: denied { execute_no_trans } for pid=2642 comm="mount.ntfs-3g" name="fusermount" dev=sda3 ino=3116077 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file $ rpm -qi selinux-policy Name : selinux-policy Relocations: (not relocatable) Version : 2.4.5 Vendor: Red Hat, Inc. Release : 3.fc6 Build Date: jeu 23 nov 2006 13:27:27 CET
Still occurs with selinux-policy 2.4.6 1.fc6
Are you seeing different avc messages?
$ rpm -qi selinux-policy Name : selinux-policy Relocations: (not relocatable) Version : 2.4.6 Vendor: Red Hat, Inc. Release : 1.fc6 Build Date: mer 29 nov 2006 21:36:17 CET Dec 16 11:33:27 localhost kernel: audit(1166265206.083:9): avc: denied { read write } for pid=2659 comm="fusermount" name="fuse" dev=tmpfs ino=1644 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=chr_file Dec 16 11:33:27 localhost kernel: SELinux: initialized (dev autofs, type autofs), uses genfs_contexts Sounds like SElinux gets initialized after the local filesystems try getting mounted?
I also have this problem, using selinux-policy-2.4.6-7.fc6. Here is the SELinux messages from boot. Dec 18 17:20:17 agent kernel: SELinux: Initializing. Dec 18 17:20:17 agent kernel: SELinux: Starting in permissive mode Dec 18 17:20:18 agent kernel: SELinux: Registering netfilter hooks Dec 18 17:20:18 agent kernel: SELinux: Completing initialization. Dec 18 17:20:18 agent kernel: SELinux: Setting up existing superblocks. Dec 18 17:20:18 agent kernel: SELinux: initialized (dev dm-2, type ext3), uses xattr Dec 18 17:20:18 agent kernel: SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts Dec 18 17:20:18 agent kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Dec 18 17:20:18 agent kernel: SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts Dec 18 17:20:18 agent kernel: SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts Dec 18 17:20:18 agent kernel: SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs Dec 18 17:20:18 agent kernel: SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts Dec 18 17:20:18 agent kernel: SELinux: initialized (dev devpts, type devpts), uses transition SIDs Dec 18 17:20:18 agent kernel: SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs Dec 18 17:20:18 agent kernel: SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts Dec 18 17:20:18 agent kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Dec 18 17:20:18 agent kernel: SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts Dec 18 17:20:18 agent kernel: SELinux: initialized (dev pipefs, type pipefs), uses task SIDs Dec 18 17:20:18 agent kernel: SELinux: initialized (dev sockfs, type sockfs), uses task SIDs Dec 18 17:20:18 agent kernel: SELinux: initialized (dev cpuset, type cpuset), not configured for labeling Dec 18 17:20:18 agent kernel: SELinux: initialized (dev proc, type proc), uses genfs_contexts Dec 18 17:20:18 agent kernel: SELinux: initialized (dev bdev, type bdev), uses genfs_contexts Dec 18 17:20:18 agent kernel: SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts Dec 18 17:20:18 agent kernel: SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts Dec 18 17:20:18 agent kernel: SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts Dec 18 17:20:18 agent kernel: SELinux: initialized (dev hda2, type ext3), uses xattr Dec 18 17:20:18 agent kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Dec 18 17:20:18 agent kernel: SELinux: initialized (dev dm-0, type ext3), uses xattr Dec 18 17:20:18 agent kernel: SELinux: initialized (dev dm-1, type ext3), uses xattr Dec 18 17:20:18 agent kernel: audit(1166424605.834:4): avc: denied { read write } for pid=1546 comm="fusermount" name="fuse" dev=tmpfs ino=1573 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=chr_file Dec 18 17:20:18 agent kernel: SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts Dec 18 17:20:18 agent kernel: SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts Dec 18 17:20:18 agent kernel: audit(1166424617.884:8): avc: denied { read write } for pid=2229 comm="fusermount" name="fuse" dev=tmpfs ino=1573 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=chr_file Dec 18 17:20:19 agent kernel: SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
Just add local policy for this for now. I think we need different policy for fusermount from mount. audit2allow -M local < /var/log/audit/audit.log
# grep fusermount /var/log/messages.1|audit2allow allow mount_t fixed_disk_device_t:chr_file { read write };
Should be fixed for RHEL5 and FC6 by selinux-policy-2.4.6-23. I guess also the umount problems. Could you please confirm? Thanks.
fixed in selinux-policy-2.4.6-49
Fedora apologizes that these issues have not been resolved yet. We're sorry it's taken so long for your bug to be properly triaged and acted on. We appreciate the time you took to report this issue and want to make sure no important bugs slip through the cracks. If you're currently running a version of Fedora Core between 1 and 6, please note that Fedora no longer maintains these releases. We strongly encourage you to upgrade to a current Fedora release. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained and closing them. http://fedoraproject.org/wiki/LifeCycle/EOL If this bug is still open against Fedora Core 1 through 6, thirty days from now, it will be closed 'WONTFIX'. If you can reporduce this bug in the latest Fedora version, please change to the respective version. If you are unable to do this, please add a comment to this bug requesting the change. Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we are following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. And if you'd like to join the bug triage team to help make things better, check out http://fedoraproject.org/wiki/BugZappers