Bug 249695 - new ntfs-3g fails to mount due to selinux avcs
new ntfs-3g fails to mount due to selinux avcs
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
: 249835 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-26 10:37 EDT by drago01
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-12 13:07:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
fix up ntfs selinux policy (1.90 KB, patch)
2007-07-30 13:44 EDT, Tom "spot" Callaway
no flags Details | Diff
denied messages from log (31.46 KB, text/plain)
2007-07-31 14:54 EDT, Harald
no flags Details

  None (edit)
Description drago01 2007-07-26 10:37:03 EDT
Description of problem:
After the ntfs-3g update to ntfs-3g-1.710-1.fc7 and fuse-2.7.0-3.fc7 my ntfs
partition is no longer mounted at boot.

Looking a dmesg I found this avc:
audit(1185459507.421:5): avc:  denied  { search } for  pid=1483
comm="mount.ntfs" name="mnt" dev=sda2 ino=3997697
scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:mnt_t:s0
tclass=dir

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.6.4-28.fc7

Additional info:

audit2allow -d:
#============= mount_ntfs_t ==============
allow mount_ntfs_t mnt_t:dir search;
Comment 1 Daniel Walsh 2007-07-26 13:17:12 EDT
Fixed in selinux-policy-targeted-2.6.4-30.fc7
Comment 2 drago01 2007-07-26 15:09:51 EDT
thx, this was fast.
when will you push this to updates(-testing?)
Comment 3 drago01 2007-07-29 05:58:44 EDT
can't even find it in cvs (only -29) ...
Comment 4 Harald 2007-07-29 10:45:59 EDT
Please also consider that the issue is not restricted to FC7 but also occurs on
FC6, anyway i was able to get a workaround running.

bug #249835 seems to handle the exact same issue, but i might have missed something.
Comment 5 Tom "spot" Callaway 2007-07-30 13:44:33 EDT
Created attachment 160257 [details]
fix up ntfs selinux policy

This patch alters the selinux policy so that ntfs-3g partitions properly
automount on systems with selinux=enabled.

Dan might be able to clean it up a bit, but I can confirm that it resolves this
bug and 249835 on F-7.
Comment 6 Tom "spot" Callaway 2007-07-30 13:45:37 EDT
*** Bug 249835 has been marked as a duplicate of this bug. ***
Comment 7 Harald 2007-07-31 14:54:47 EDT
Created attachment 160350 [details]
denied messages from log

Just in case that the messages i used to create the policy file are still of
interest. Daniel ask for them in bug #249835.
Comment 8 drago01 2007-08-01 10:37:57 EDT
(In reply to comment #1)
> Fixed in selinux-policy-targeted-2.6.4-30.fc7

compiled it from cvs and it seems that it still does not solve the problem... 
I get a different avc now:
audit(1185978767.311:4): avc:  denied  { write } for  pid=1478 comm="mount.ntfs"
name="tmp" dev=sda2 ino=1409025 scontext=system_u:system_r:mount_ntfs_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
Comment 9 Ian Malone 2007-08-03 05:55:33 EDT
Originally added this to bug 249943, but seems more
relevant to this one.

[ian@prometheus ~]$ rpm -q selinux-policy-targeted
selinux-policy-targeted-2.6.4-30.fc7
[ian@prometheus ~]$ rpm -q selinux-policy
selinux-policy-2.6.4-30.fc7
[ian@prometheus ~]$ dmesg|grep ntfs
audit(1185991690.781:4): avc:  denied  { write } for  pid=1569
comm="mount.ntfs-3g" name="tmp" dev=dm-0 ino=507905
scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=dir
audit(1185991690.862:5): avc:  denied  { write } for  pid=1571
comm="mount.ntfs-3g" name="tmp" dev=dm-0 ino=507905
scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=dir
Comment 10 drago01 2007-08-06 18:37:42 EDT
it works for me with selinux-policy-2.6.4-33.fc7
Comment 11 Daniel Walsh 2007-09-12 13:07:54 EDT
Moving modified bugs to closed
Comment 12 Alexei Podtelezhnikov 2007-09-15 19:33:09 EDT
don't forget FC6, please.
Comment 13 Daniel Walsh 2007-09-18 09:18:01 EDT
Try selinux-policy-2.4.6-88.fc6
Comment 14 Alexei Podtelezhnikov 2007-09-19 19:51:48 EDT
Ehh. selinux-policy-2.4.6-88.fc6 is not good.
First, it fails in post-install phase like this:
 
libsepol.context_from_record: type httpd_nagios_script_exec_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert 
system_u:object_r:httpd_nagios_script_exec_t:s0 to sid
/etc/selinux/targeted/contexts/files/file_contexts:  line 270 has invalid 
context system_u:object_r:httpd_nagios_script_exec_t:s0
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule:  Failed!

Second, with enforced policy it is still denying ntfs-3g

 Sep 19 19:10:43 localhost kernel: audit(1190243431.707:4): avc:  denied  { 
search } for  pid=1739 comm="mount.ntfs-3g" name="mnt" dev=dm-0 ino=11632641 
scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:mnt_t:s0 
tclass=dir

Note You need to log in before you can comment on or make changes to this bug.