Bug 220732 - SELinux blocks unmounting ntfs-3g volumes on shutdown or reboot
SELinux blocks unmounting ntfs-3g volumes on shutdown or reboot
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
All Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
: 220908 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-24 18:52 EST by Heiko Adams
Modified: 2007-11-30 17:11 EST (History)
10 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-09 10:16:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for use ntfs-3g with the SELinux reference policy (365 bytes, patch)
2007-03-19 13:14 EDT, Jochen Schmitt
no flags Details | Diff

  None (edit)
Description Heiko Adams 2006-12-24 18:52:27 EST
Description of problem:
If ntfs-3g volumes are mounted on boot, SELinux blocks unmounting ntfs-3g
volumes on shutdown or reboot.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-13.fc6
selinux-policy-2.4.6-13.fc6
fuse-2.6.0-2.fc6
ntfs-3g-0-0.5.20070920.fc6

How reproducible:
allways

Steps to Reproduce:
1. edit fstag to mount a ntfs-3g volume on boot
2. reboot the system to mount the ntfs-3g volume
3. shutdown the system
  
Actual results:
several error messages are thrown be SELinux

Expected results:
no error should occur during shutdown or reboot
Comment 1 Szabolcs Szakacsits 2007-01-07 07:23:48 EST
This is hopefully fixed for RHEL5 and FC6 by selinux-policy-2.4.6-23. Could you
please confirm? Thanks.
Comment 2 Heiko Adams 2007-01-07 08:24:55 EST
As soon as the updated packages hit the repo I'll try to confirm
Comment 3 Stephanos Manos 2007-01-07 16:29:19 EST
I updated to the latest form updates-testing.
The problem is still here (SELinux denials)

Here is the output of sealert

sealert -l 5b77c8c5-93c1-4600-b6a7-51137fb4866d
Summary
    SELinux is preventing /usr/bin/fusermount (mount_t) "mount" to /
    (unlabeled_t).

Detailed Description
    SELinux denied access requested by /usr/bin/fusermount. It is not expected
    that this access is required by /usr/bin/fusermount and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:mount_t
Target Context                system_u:object_r:unlabeled_t
Target Objects                / [ filesystem ]
Affected RPM Packages         fuse-2.6.1-1.fc6 [application]filesystem-2.4.0-1
                              [target]
Policy RPM                    selinux-policy-2.4.6-23.fc6
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     ghost.home-net
Platform                      Linux ghost.home-net 2.6.18-1.2869.fc6 #1 SMP Wed
                              Dec 20 14:51:19 EST 2006 i686 i686
Alert Count                   16
Line Numbers                  

Raw Audit Messages            

avc: denied { mount } for comm="fusermount" dev=fuse egid=0 euid=0
exe="/usr/bin/fusermount" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/"
pid=2538 scontext=system_u:system_r:mount_t:s0 sgid=0
subj=system_u:system_r:mount_t:s0 suid=0 tclass=filesystem
tcontext=system_u:object_r:unlabeled_t:s0 tty=(none) uid=0
Comment 4 Heiko Adams 2007-01-13 08:48:25 EST
I'm sorry, but this bug isn't fixed with selinux-policy-targeted-2.4.6-23.fc6.
The error messages are still there
Comment 5 Heiko Adams 2007-01-19 16:41:09 EST
Adding user_allow_other to fuse.conf and the following parameters in fstab
solved the problem for me: dmask=022,fmask=133,noauto,locale=de_DE.utf8,user 0 0
Comment 6 Heiko Adams 2007-01-20 09:41:29 EST
(In reply to comment #5)
> Adding user_allow_other to fuse.conf and the following parameters in fstab
> solved the problem for me: dmask=022,fmask=133,noauto,locale=de_DE.utf8,user 0 0
Please ignore this comment. It doesn't fix the problem.
Comment 7 Eric Buist 2007-01-27 11:44:20 EST
I use selinux-policy-targeted-2.4.6-27, and I have the exact same problem. The
only procedure to generate a local policy module to allow ntfs-3g fails, because
audit2allow does not work anymore; it crashes with an error message. I tried to
hack the audit2allow Python script, the problem comes from lines printing text,
I could create the local module, and load it using semodule. But this did not
make any difference. The only solution seems to add noauto in fstab, manually
mount the NTFS drive, and DO NOT forget to manually unmount before shutting
down. There is enough things to think about when using a computer, this is not
necessary to add this annoying one. So I disabled SELinux; what is the point
with this feature which always blocks everything up? With Fedora Core 3, I
disabled it, because it was blocking GnuPG. Now, it continues to block other
programs, and there is no way the user can customize the policy to selectively
unblock things, or the provided ways are buggy.
So in my opinon, the problem is not with ntfs-3g itself, but SELinux.
Comment 8 r6144 2007-02-05 09:40:15 EST
I'm also seeing this problem using selinux-policy-targeted-2.4.6-27.fc6 and
ntfs-3g-0-0.9.20070118.fc6.  Loading the following policy module as per the
SELinux FAQ solves the problem.  It is basically a commented version of the
audit2allow output.

I have not investigated yet why the root of the ntfs-3g filesystem is unlabeled,
despite the genfscon command in filesystem.te.

policy_module(local, 1.0)

require {
	type mount_t, mount_exec_t, unconfined_t, fixed_disk_device_t, unlabeled_t;
}

# NOTE: This may not be secure; however, DAC should provide enough security
# for now.

# mount.ntfs-3g does a system("modprobe fuse") if the module is not loaded
corecmd_exec_shell(mount_t)
modutils_domtrans_insmod(mount_t)

# To allow access to /dev/fuse, which is labeled fixed_disk_device_t
# (thankfully there are not many other character devices of this type)
allow mount_t fixed_disk_device_t:chr_file rw_file_perms;

# The target filesystem happens to be unlabeled (should have been dosfs_t);
# we won't let that stop us.
allow mount_t unlabeled_t:filesystem { mount unmount };

# The boot scripts run mount as mount_t.  Running mount directly as root
# uses unconfined_mount_t though, so the problem cannot be reproduced this way.
#
# The following statement allows us to use "runcon -t mount_t mount ..."
# as root, so that we can test this module without rebooting.
domain_trans(unconfined_t,mount_exec_t,mount_t)
Comment 9 Stephanos Manos 2007-02-06 14:47:58 EST
Thanks for the info and the fix

Tested and works. No messages on startup or shutdown and no setroubleshoot alerts.

But i would like a comment from Daniel.
Comment 10 Stephanos Manos 2007-02-06 16:02:23 EST
Correction
It fixes the problem with ntfs-3g but introduces (at least for me) a problem
with operations to a nfsv4 mount drive (copying stalls for ever using cli, mc,
gnome-commander and when killed leaves open pending transactions that prevent
the  unmount of the nfs share) and probably other problems.
Unloading and removing the policy fixed the problem i had with the nfs mount.
Comment 11 Daniel Walsh 2007-02-08 09:28:56 EST
I have been waiting on these bugs until, I clean up some lots of other bugs.  I
believe we need a policy for fusermount, that is different from mount.  Also
their  either needs to be some kernel changes or changes to the ntfs-3g module
to understand SELinux, since an unlabeled_t file system should not exist. 
Everything in the kernel needs to be labeled.
Comment 12 Szabolcs Szakacsits 2007-02-08 09:59:01 EST
> I have been waiting on these bugs until, I clean up some lots of other bugs.

Thank you it's not fogotten. The SELinux problems are extremely popular and
the feedbacks are quite confusing when SELinux works properly and when it
doesn't.

> I believe we need a policy for fusermount, that is different from mount.
> Also their either needs to be some kernel changes

In SELinux or FUSE or somewhere else?

> or changes to the ntfs-3g module to understand SELinux,

What do you mean by "module"? The ntfs-3g software? What changes are needed?
I believed it's a 100% SELinux problem. How would this solve the problem
SELinux denying fusermount operations?

> since an unlabeled_t file system should not exist.  Everything in the
> kernel needs to be labeled.

So the problem is that the fuse and fuseblk file system types aren't
labeled? Do you have examples how this is supposed to be done? Thanks.
Comment 13 Eric Paris 2007-02-14 10:35:58 EST
Dan, is there a genfs statement for ntfs-3g?  That would probably take care of this.
Comment 14 Daniel Walsh 2007-02-14 15:13:13 EST
genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)

Is in the policy now.
Comment 15 Dawid Gajownik 2007-03-16 04:52:42 EDT
(In reply to comment #14)
> genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
> 
> Is in the policy now.

This will not work, because mount says that it is fuse filesystem:

[gajownik@zuzia ~]$ mount
[snip]
/dev/hda1 on /mnt/win type fuse (rw,nosuid,nodev,noatime,allow_other)
[gajownik@zuzia ~]$

I've got in fstab this line:
/dev/hda1        /mnt/win   ntfs-3g defaults,noauto        0 0

As you can see, SELinix does not check what is in fstab. Adding this line to the
policy file resolves the problem:

genfscon fuse / gen_context(system_u:object_r:dosfs_t,s0)

Unfortunately, I presume that this is not acceptable, because other fuse
filesystems may work better with other context. You should ask fuse/fuse
filesystem maintainers.
Comment 16 Szabolcs Szakacsits 2007-03-16 06:41:30 EDT
Depending on the kernel version and other issues, mount(8) can report the file
system type (fstype) to be: fuse, fuseblk, fuse.ntfs-3g and fuseblk.ntfs-3g. 

The 'ntfs-3g' sub part of the fstype should stay in the future but it's not
available yet in stable Linux kernels, only in Linus' development tree. This
FUSE feature was added recently to help the identification of the user space
fstype by e.g. mount helpers and make its detection independent of FUSE's
internal evolution, e.g. the introduction of the new, additional fuseblk FUSE
fstype which was required for safe block devices support.
Comment 17 Jochen Schmitt 2007-03-19 13:14:17 EDT
Created attachment 150395 [details]
Patch for use ntfs-3g with the SELinux reference policy

I have create a patch, which should the SELinux issue of ntfs-3g.
Comment 18 Daniel Walsh 2007-03-20 19:00:10 EDT
I have just put out a policy to handle this in Rawhide for FC7.  Once it gets a
few days of testing and I am convinced it will cause no other problems, I will
back port it to FC6.
Comment 19 Szabolcs Szakacsits 2007-03-25 19:15:29 EDT
Daniel: does the new policy expect ntfs-3g to use exec() instead of system() or
not? Will it work with any of the fuse, fuseblk, fuse.ntfs-3g and
fuseblk.ntfs-3g file system types?
Comment 20 Daniel Walsh 2007-03-26 14:02:51 EDT
From an selinux point of view exec and system are the same.  You are executing a
new processes.

As far as fuse* file types, I do not know, from a mount command point of view do
you say something like mount -t fuseblk /dev/xyz /mnt/ntfs?
Comment 21 Szabolcs Szakacsits 2007-03-26 17:56:34 EDT
The syntax is always 'mount -t ntfs-3g device mountpoint'. But FUSE can register
the filesystem type to be any of the fuse* types and mount, df -T, /etc/mtab,
etc all will report that value.
Comment 22 drago01 2007-04-02 15:49:58 EDT
(In reply to comment #18)
> I have just put out a policy to handle this in Rawhide for FC7.  Once it gets a
> few days of testing and I am convinced it will cause no other problems, I will
> back port it to FC6.

any update on this?
I tested ntfs-3g and it only works when I disable selinux which I don't want to
do... can you atleast put the fix into updates-testing?
Comment 23 Daniel Walsh 2007-04-02 15:54:35 EDT
Fixed in selinux-policy-2.4.6-49 

Should be in updates-testing tonight.
Comment 24 drago01 2007-04-03 14:07:25 EDT
(In reply to comment #23)
> Fixed in selinux-policy-2.4.6-49 
> 
> Should be in updates-testing tonight.

still nothing here... and no anouncment on fedora-test-list...
Comment 25 Stephanos Manos 2007-04-04 19:34:33 EDT
Fixed in rawhide with selinux-policy-2.5.11-2.fc7
Comment 26 drago01 2007-04-05 04:34:12 EDT
(In reply to comment #23)
> Fixed in selinux-policy-2.4.6-49 
> 
> Should be in updates-testing tonight.

works fine for me; also other fuse filesystems are now labled.
Comment 27 Heiko Adams 2007-04-09 06:24:40 EDT
works fine here too :-)
Comment 28 Daniel Walsh 2007-04-11 13:57:53 EDT
*** Bug 220908 has been marked as a duplicate of this bug. ***
Comment 29 Need Real Name 2007-04-13 04:10:36 EDT
I was the filer of Bug 220908 and am trying to figure out if I am having the
same problems as here.

Originally, my problem was that ntfs-3g filesystems were mounted as
'unlabeled_t' which made it impossible for me to copy/move files between normal
linux file systems and ntfs-3g volumes. I never had any problem with
mounting/umounting.

The latest updates to selinux-policy-targeted have fixed the unlabeled problem,
but now all my ntfs-3g volumes show up as 'fusefs_t' and the policy *still*
doesn't allow me to copy/mv between linux and ntfs-3g volumes.

So,
1. Are other people having the same problem or is my issue different?
2. What is the best way to solve this?
   - Use the mount option to assign a default label such as dosfs_t to ntfs-3g
filesystems so that they can interoperate with linux filesystems
   - Change the default policy to enable cp/mv to fusefs_t filesystems?
   - Modify ntfs-3g/fuse/selinux so that ntfs-3g volumes get mounted by default
with a compatible labeling?
   - Something else?

Thanks
Comment 30 Szabolcs Szakacsits 2007-04-13 07:09:58 EDT
Jeff: ntfs-3g development have never heard SELinux related copy/move problem.
The mount/umount one was __FAR__ one of the top issues since October but people
are keep reporting (quite many already) only success with the latest
selinux-policy. Could it be that you have a local selinux configuration issue?
Comment 31 Need Real Name 2007-04-13 10:19:11 EDT
I have a stock selinux 'targeted' policy configuration.

My problem seems to be only with 'mv' -- doing a 'cp' and or 'rm' has no issues.

Again, this is specifically how I create my problem:

mount -t ntsfs-3g /dev/hda1 /mnt/winXP [no problem]
touch ~/crapola [no problem]

cp ~/crapola  /mnt/winxpA [no problem]
cp /mnt/winxpA/crapola ~/ [no problem]

mv /mnt/winxpA/crapola ~/
avc:  denied  { associate } for  pid=22533 comm="mv" name="crapola"
scontext=system_u:object_r:fusefs_t:s0 tcontext=system_u:object_r:fs_t:s0
tclass=filesystem

mv ~/crapola /mnt/winxpA
avc:  denied  { associate } for  pid=22529 comm="mv" name="crapola"
scontext=user_u:object_r:user_home_t:s0 tcontext=system_u:object_r:fusefs_t:s0
tclass=filesystem

rm ~/crapola /mnt/winxpA [no problem]
rm ~/crapola [no problem]

Of course everything works with selinux permissive or if I use audit2allow to
enable the relevant operations. I also don't have selinux issues mv'ing 

This seems to me to be as basic as it gets so I am not sure then why I get these
issues and others don't. Also, it's not clear to me why the problem is with 'mv'
but not with 'cp' or 'rm'.

Any suggestions on how to diagnose this and determine if this is a really bug or
just something weird with my configuration?


Comment 32 Need Real Name 2007-04-13 10:22:48 EDT
Also, can you verify what is the default labeling when you do something like:
mount -t ntfs-3g /dev/hda1 /mnt/winXP

I get:

ls -Zd /mnt/winXP
drwxrwxrwx  root root system_u:object_r:fusefs_t       /mnt/winXP
Comment 33 Daniel Walsh 2007-04-13 11:29:00 EDT
Fixed in selinux-policy-2_4_6-57_el5
Comment 34 Need Real Name 2007-04-20 00:01:37 EDT
Yippee! Finally all fixed for me. Not sure though why I seemed to be the only
one seeing these problems though...

Note You need to log in before you can comment on or make changes to this bug.