Bug 216625 - SELinux prevents ntfs-3g filesystem from being mounted at boot
SELinux prevents ntfs-3g filesystem from being mounted at boot
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
6
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
bzcl34nup
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-21 04:32 EST by David Monniaux
Modified: 2008-04-07 22:21 EDT (History)
5 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-07 22:19:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description David Monniaux 2006-11-21 04:32:04 EST
Description of problem:
SELinux prevents ntfs-3g from being mounted at boot.

Version-Release number of selected component (if applicable):
fuse-2.5.3
ntfs-3g-0-0.5.20070920

How reproducible:
Always

Steps to Reproduce:
1. Insert a NTFS filesystem line in /etc/fstab as such:
/dev/sda2               /xp/c                   ntfs-3g uid=500,gid=500 0 0
2. Reboot
3.
  
Actual results:
Filesystem not mounted, /var/log/messages contains a SELinux error message:
Nov 20 23:05:53 localhost kernel: audit(1164060319.334:8): avc:  denied  {
execute_no_trans } for  pid=1836 comm="mount.ntfs-3g" name="fusermount" dev=sda3
ino=3116154 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:mount_exec_t:s0 tclass=file

Expected results:
The filesystem should be mounted.

Additional info:
sudo mount /xp/c works perfectly. The problem only appears at boot.
Comment 1 Ronny Fischer 2006-11-22 02:29:12 EST
I can confirm that.

Trying to mount an NTFS partition with ntfs-3g via fstab is not possible while 
mounting manually works well.
Comment 2 Daniel Walsh 2006-11-28 16:21:08 EST
Fixed in selinux-policy-2.4.5-3.fc6
Comment 3 David Monniaux 2006-12-01 15:45:07 EST
The problem still occurs

Logged:
Dec  1 21:25:43 localhost kernel: audit(1165004740.658:1854): avc:  denied  {
execute_no_trans } for  pid=2642 comm="mount.ntfs-3g" name="fusermount" dev=sda3
ino=3116077 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:mount_exec_t:s0 tclass=file

$ rpm -qi selinux-policy
Name        : selinux-policy               Relocations: (not relocatable)
Version     : 2.4.5                             Vendor: Red Hat, Inc.
Release     : 3.fc6                         Build Date: jeu 23 nov 2006 13:27:27 CET
Comment 4 David Monniaux 2006-12-09 07:03:06 EST
Still occurs with selinux-policy 2.4.6 1.fc6
Comment 5 Daniel Walsh 2006-12-11 15:14:36 EST
Are you seeing different avc messages?
Comment 6 David Monniaux 2006-12-16 05:47:17 EST
$ rpm -qi selinux-policy
Name        : selinux-policy               Relocations: (not relocatable)
Version     : 2.4.6                             Vendor: Red Hat, Inc.
Release     : 1.fc6                         Build Date: mer 29 nov 2006 21:36:17 CET

Dec 16 11:33:27 localhost kernel: audit(1166265206.083:9): avc:  denied  { read
write } for  pid=2659 comm="fusermount" name="fuse" dev=tmpfs ino=1644
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=chr_file
Dec 16 11:33:27 localhost kernel: SELinux: initialized (dev autofs, type
autofs), uses genfs_contexts

Sounds like SElinux gets initialized after the local filesystems try getting
mounted?
Comment 7 n0dalus 2006-12-18 03:21:36 EST
I also have this problem, using selinux-policy-2.4.6-7.fc6.
Here is the SELinux messages from boot.

Dec 18 17:20:17 agent kernel: SELinux:  Initializing.
Dec 18 17:20:17 agent kernel: SELinux:  Starting in permissive mode
Dec 18 17:20:18 agent kernel: SELinux:  Registering netfilter hooks
Dec 18 17:20:18 agent kernel: SELinux:  Completing initialization.
Dec 18 17:20:18 agent kernel: SELinux:  Setting up existing superblocks.
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev dm-2, type ext3), uses xattr
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev usbfs, type usbfs), uses
genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev debugfs, type debugfs),
uses genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev selinuxfs, type
selinuxfs), uses genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev mqueue, type mqueue),
uses transition SIDs
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev hugetlbfs, type
hugetlbfs), uses genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev devpts, type devpts),
uses transition SIDs
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev eventpollfs, type
eventpollfs), uses task SIDs
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev inotifyfs, type
inotifyfs), uses genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev futexfs, type futexfs),
uses genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev pipefs, type pipefs),
uses task SIDs
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev sockfs, type sockfs),
uses task SIDs
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev cpuset, type cpuset),
not configured for labeling
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev proc, type proc), uses
genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev bdev, type bdev), uses
genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev rootfs, type rootfs),
uses genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev sysfs, type sysfs), uses
genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev ramfs, type ramfs), uses
genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev hda2, type ext3), uses xattr
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev dm-0, type ext3), uses xattr
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev dm-1, type ext3), uses xattr
Dec 18 17:20:18 agent kernel: audit(1166424605.834:4): avc:  denied  { read
write } for  pid=1546 comm="fusermount" name="fuse" dev=tmpfs ino=1573
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=chr_file
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev binfmt_misc, type
binfmt_misc), uses genfs_contexts
Dec 18 17:20:18 agent kernel: SELinux: initialized (dev rpc_pipefs, type
rpc_pipefs), uses genfs_contexts
Dec 18 17:20:18 agent kernel: audit(1166424617.884:8): avc:  denied  { read
write } for  pid=2229 comm="fusermount" name="fuse" dev=tmpfs ino=1573
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=chr_file
Dec 18 17:20:19 agent kernel: SELinux: initialized (dev autofs, type autofs),
uses genfs_contexts
Comment 8 Daniel Walsh 2006-12-18 14:40:24 EST
Just add local policy for this for now.  I think we need different policy for
fusermount from mount. 

audit2allow -M local < /var/log/audit/audit.log

Comment 9 David Monniaux 2006-12-20 03:39:29 EST
# grep fusermount /var/log/messages.1|audit2allow
allow mount_t fixed_disk_device_t:chr_file { read write };
Comment 10 Szabolcs Szakacsits 2007-01-07 07:19:59 EST
Should be fixed for RHEL5 and FC6 by selinux-policy-2.4.6-23. I guess also the
umount problems. Could you please confirm? Thanks.
Comment 11 Daniel Walsh 2007-04-10 14:56:12 EDT
fixed in selinux-policy-2.4.6-49
Comment 12 Bug Zapper 2008-04-04 00:50:16 EDT
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.
http://fedoraproject.org/wiki/LifeCycle/EOL

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers

Note You need to log in before you can comment on or make changes to this bug.