Bug 249695 - new ntfs-3g fails to mount due to selinux avcs
Summary: new ntfs-3g fails to mount due to selinux avcs
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 7
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
: 249835 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2007-07-26 14:37 UTC by drago01
Modified: 2007-11-30 22:12 UTC (History)
2 users (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-09-12 17:07:54 UTC

Attachments (Terms of Use)
fix up ntfs selinux policy (1.90 KB, patch)
2007-07-30 17:44 UTC, Tom "spot" Callaway
no flags Details | Diff
denied messages from log (31.46 KB, text/plain)
2007-07-31 18:54 UTC, Harald
no flags Details

Description drago01 2007-07-26 14:37:03 UTC
Description of problem:
After the ntfs-3g update to ntfs-3g-1.710-1.fc7 and fuse-2.7.0-3.fc7 my ntfs
partition is no longer mounted at boot.

Looking a dmesg I found this avc:
audit(1185459507.421:5): avc:  denied  { search } for  pid=1483
comm="mount.ntfs" name="mnt" dev=sda2 ino=3997697
scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:mnt_t:s0

Version-Release number of selected component (if applicable):

Additional info:

audit2allow -d:
#============= mount_ntfs_t ==============
allow mount_ntfs_t mnt_t:dir search;

Comment 1 Daniel Walsh 2007-07-26 17:17:12 UTC
Fixed in selinux-policy-targeted-2.6.4-30.fc7

Comment 2 drago01 2007-07-26 19:09:51 UTC
thx, this was fast.
when will you push this to updates(-testing?)

Comment 3 drago01 2007-07-29 09:58:44 UTC
can't even find it in cvs (only -29) ...

Comment 4 Harald 2007-07-29 14:45:59 UTC
Please also consider that the issue is not restricted to FC7 but also occurs on
FC6, anyway i was able to get a workaround running.

bug #249835 seems to handle the exact same issue, but i might have missed something.

Comment 5 Tom "spot" Callaway 2007-07-30 17:44:33 UTC
Created attachment 160257 [details]
fix up ntfs selinux policy

This patch alters the selinux policy so that ntfs-3g partitions properly
automount on systems with selinux=enabled.

Dan might be able to clean it up a bit, but I can confirm that it resolves this
bug and 249835 on F-7.

Comment 6 Tom "spot" Callaway 2007-07-30 17:45:37 UTC
*** Bug 249835 has been marked as a duplicate of this bug. ***

Comment 7 Harald 2007-07-31 18:54:47 UTC
Created attachment 160350 [details]
denied messages from log

Just in case that the messages i used to create the policy file are still of
interest. Daniel ask for them in bug #249835.

Comment 8 drago01 2007-08-01 14:37:57 UTC
(In reply to comment #1)
> Fixed in selinux-policy-targeted-2.6.4-30.fc7

compiled it from cvs and it seems that it still does not solve the problem... 
I get a different avc now:
audit(1185978767.311:4): avc:  denied  { write } for  pid=1478 comm="mount.ntfs"
name="tmp" dev=sda2 ino=1409025 scontext=system_u:system_r:mount_ntfs_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir

Comment 9 Ian Malone 2007-08-03 09:55:33 UTC
Originally added this to bug 249943, but seems more
relevant to this one.

[ian@prometheus ~]$ rpm -q selinux-policy-targeted
[ian@prometheus ~]$ rpm -q selinux-policy
[ian@prometheus ~]$ dmesg|grep ntfs
audit(1185991690.781:4): avc:  denied  { write } for  pid=1569
comm="mount.ntfs-3g" name="tmp" dev=dm-0 ino=507905
scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:tmp_t:s0
audit(1185991690.862:5): avc:  denied  { write } for  pid=1571
comm="mount.ntfs-3g" name="tmp" dev=dm-0 ino=507905
scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:tmp_t:s0

Comment 10 drago01 2007-08-06 22:37:42 UTC
it works for me with selinux-policy-2.6.4-33.fc7

Comment 11 Daniel Walsh 2007-09-12 17:07:54 UTC
Moving modified bugs to closed

Comment 12 Alexei Podtelezhnikov 2007-09-15 23:33:09 UTC
don't forget FC6, please.

Comment 13 Daniel Walsh 2007-09-18 13:18:01 UTC
Try selinux-policy-2.4.6-88.fc6

Comment 14 Alexei Podtelezhnikov 2007-09-19 23:51:48 UTC
Ehh. selinux-policy-2.4.6-88.fc6 is not good.
First, it fails in post-install phase like this:
libsepol.context_from_record: type httpd_nagios_script_exec_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert 
system_u:object_r:httpd_nagios_script_exec_t:s0 to sid
/etc/selinux/targeted/contexts/files/file_contexts:  line 270 has invalid 
context system_u:object_r:httpd_nagios_script_exec_t:s0
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule:  Failed!

Second, with enforced policy it is still denying ntfs-3g

 Sep 19 19:10:43 localhost kernel: audit(1190243431.707:4): avc:  denied  { 
search } for  pid=1739 comm="mount.ntfs-3g" name="mnt" dev=dm-0 ino=11632641 
scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:mnt_t:s0 

Note You need to log in before you can comment on or make changes to this bug.