Description of problem: After the ntfs-3g update to ntfs-3g-1.710-1.fc7 and fuse-2.7.0-3.fc7 my ntfs partition is no longer mounted at boot. Looking a dmesg I found this avc: audit(1185459507.421:5): avc: denied { search } for pid=1483 comm="mount.ntfs" name="mnt" dev=sda2 ino=3997697 scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Version-Release number of selected component (if applicable): selinux-policy-targeted-2.6.4-28.fc7 Additional info: audit2allow -d: #============= mount_ntfs_t ============== allow mount_ntfs_t mnt_t:dir search;
Fixed in selinux-policy-targeted-2.6.4-30.fc7
thx, this was fast. when will you push this to updates(-testing?)
can't even find it in cvs (only -29) ...
Please also consider that the issue is not restricted to FC7 but also occurs on FC6, anyway i was able to get a workaround running. bug #249835 seems to handle the exact same issue, but i might have missed something.
Created attachment 160257 [details] fix up ntfs selinux policy This patch alters the selinux policy so that ntfs-3g partitions properly automount on systems with selinux=enabled. Dan might be able to clean it up a bit, but I can confirm that it resolves this bug and 249835 on F-7.
*** Bug 249835 has been marked as a duplicate of this bug. ***
Created attachment 160350 [details] denied messages from log Just in case that the messages i used to create the policy file are still of interest. Daniel ask for them in bug #249835.
(In reply to comment #1) > Fixed in selinux-policy-targeted-2.6.4-30.fc7 compiled it from cvs and it seems that it still does not solve the problem... I get a different avc now: audit(1185978767.311:4): avc: denied { write } for pid=1478 comm="mount.ntfs" name="tmp" dev=sda2 ino=1409025 scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
Originally added this to bug 249943, but seems more relevant to this one. [ian@prometheus ~]$ rpm -q selinux-policy-targeted selinux-policy-targeted-2.6.4-30.fc7 [ian@prometheus ~]$ rpm -q selinux-policy selinux-policy-2.6.4-30.fc7 [ian@prometheus ~]$ dmesg|grep ntfs audit(1185991690.781:4): avc: denied { write } for pid=1569 comm="mount.ntfs-3g" name="tmp" dev=dm-0 ino=507905 scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir audit(1185991690.862:5): avc: denied { write } for pid=1571 comm="mount.ntfs-3g" name="tmp" dev=dm-0 ino=507905 scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
it works for me with selinux-policy-2.6.4-33.fc7
Moving modified bugs to closed
don't forget FC6, please.
Try selinux-policy-2.4.6-88.fc6
Ehh. selinux-policy-2.4.6-88.fc6 is not good. First, it fails in post-install phase like this: libsepol.context_from_record: type httpd_nagios_script_exec_t is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:httpd_nagios_script_exec_t:s0 to sid /etc/selinux/targeted/contexts/files/file_contexts: line 270 has invalid context system_u:object_r:httpd_nagios_script_exec_t:s0 libsemanage.semanage_install_active: setfiles returned error code 1. semodule: Failed! Second, with enforced policy it is still denying ntfs-3g Sep 19 19:10:43 localhost kernel: audit(1190243431.707:4): avc: denied { search } for pid=1739 comm="mount.ntfs-3g" name="mnt" dev=dm-0 ino=11632641 scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir