This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 235145 - fuse changes security context of /etc/mtab
fuse changes security context of /etc/mtab
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: fuse (Show other bugs)
6
All Linux
medium Severity high
: ---
: ---
Assigned To: Peter Lemenkov
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-03 19:11 EDT by Yves Perrenoud
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-05 17:26:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Yves Perrenoud 2007-04-03 19:11:55 EDT
+++ This bug was initially created as a clone of Bug #188561 +++

Description of problem:
fuse changes security context of /etc/mtab when it mounts or umounts.
which results in 
audit(1144746982.448:5): avc:  denied  { write } for  pid=3273 comm="mount"
name="mtab" dev=md0 ino=7014388 scontext=system_u:system_r:mount_t:s0
tcontext=user_u:object_r:etc_t:s0 tclass=file
when I try to unmount/mount a usb pen drive.
and I also gets tons of avcs during shutdown.

Version-Release number of selected component (if applicable):
fuse-2.5.2-4.fc5

How reproducible:
always!

Steps to Reproduce:
1. mount anything using fuse (sshfs)
2. umount it,mount a usb pen drive
3. notice avcs
4. shutdown notice tons of avcs.
  
Actual results:
audit(1144746982.448:5): avc:  denied  { write } for  pid=3273 comm="mount"
name="mtab" dev=md0 ino=7014388 scontext=system_u:system_r:mount_t:s0
tcontext=user_u:object_r:etc_t:s0 tclass=file
and no mtab entry for new mounted devices.

Expected results:

it should not change the file context

Additional info:
selinux-policy-2.2.29-3.fc5
selinux-policy-targeted-2.2.29-3.fc5

-- Additional comment from yves-redhat@xpand.org on 2006-07-27 13:49 EST --
I found the problem, fixed it and sent a patch upstream to the fuse-devel
mailing list. fusermount was re-creating /etc/mtab on unmount, but it wasn't
restoring the security context of the old file it was replacing.

-- Additional comment from drago01@gmail.com on 2007-02-09 06:03 EST --
I can confirm that its fixed ;)

-- Additional comment from yves-redhat@xpand.org on 2007-03-26 07:14 EST --
This problem isn't fixed in packages in Extras for FC5 and FC6. Indeed the patch
I submitted upstream has made it into the source used to build the packages, but
the fusermount binary in the rpms built for the Extras repositories, doesn't
contain the fix. The only explanation for that is that the build environment
doesn't include the libselinux and libselinux-devel packages. Hence the
fusermount binary never includes the selinux specific code.

If I rebuild the src rpm as-is, I obtain a fusermount binary that includes the
code and hence solves the problem.

I suggest adding the following to the spec file:

BuildRequires: libselinux, libselinux-devel

This should definitely ensure the problem is solved.
Comment 1 Peter Lemenkov 2007-04-04 00:21:55 EDT
Hmmm.
Could you check whether it works if we BR only libselinux-devel? Or its
necessary to BR both libselinux and libselinux-devel?
Comment 2 Yves Perrenoud 2007-05-31 03:03:51 EDT
What triggers the inclusion of the selinux code in fusermount is based on the
results of an AC_CHECK_LIB (for libselinux) I added to configure.in. The way
configure checks for the presents of the library is by compiling a snippet of
test code using a "-l<lib>". Hence gcc must be only looking for libselinux.a as
there's no attempt to actually execute the code. Thus I'm fairly confident that
only including "libselinux-devel" in the BuildRequires should do the job.
Comment 3 Peter Lemenkov 2007-06-05 17:26:29 EDT
OK, added.
Let's wait next version.

Note You need to log in before you can comment on or make changes to this bug.