Bug 249943 - SELinux is preventing /sbin/mount.ntfs-3g (mount_ntfs_t) "search" to media (mnt_t).
SELinux is preventing /sbin/mount.ntfs-3g (mount_ntfs_t) "search" to media (m...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-28 06:56 EDT by Rogue
Modified: 2007-11-30 17:12 EST (History)
5 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-17 06:15:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Policy module for ntfs-3g (936 bytes, application/octet-stream)
2007-08-04 06:11 EDT, Mariusz Wasiluk
no flags Details

  None (edit)
Description Rogue 2007-07-28 06:56:05 EDT
Description of problem:
NTFS-3G does not automount externally plugged USB hard drives

Version-Release number of selected component (if applicable):
Please see the additional information

How reproducible:
All the time

Steps to Reproduce:
1. Plug in a hard drive that has a NTFS partition
  
Actual results:
AVC denial attack

Expected results:
The hard drive should get automounted.

Additional info:

Summary
    SELinux is preventing /sbin/mount.ntfs-3g (mount_ntfs_t) "search" to media
(mnt_t).

Detailed Description
    SELinux denied access requested by /sbin/mount.ntfs-3g. It is not expected
    that this access is required by /sbin/mount.ntfs-3g and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for media, restorecon -v media If
    this does not work, there is currently no automatic way to allow this
    access. Instead,  you can generate a local policy module to allow this
    access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
    can disable SELinux protection altogether. Disabling SELinux protection is
    not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:mount_ntfs_t
Target Context                system_u:object_r:mnt_t
Target Objects                media [ dir ]
Affected RPM Packages         ntfs-3g-1.710-1.fc7
                              [application]filesystem-2.4.6-1.fc7 [target]
Policy RPM                    selinux-policy-2.6.4-28.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     Xymnotune
Platform                      Linux Xymnotune 2.6.22.1-33.fc7 #1 SMP Mon Jul 23
                              17:33:07 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Fri 27 Jul 2007 04:17:22 AM IST
Last Seen                     Sat 28 Jul 2007 04:16:36 PM IST
Local ID                      527ac7bf-3d02-4c77-8baf-64d36a22f924
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm="mount.ntfs-3g" dev=sda3 egid=0 euid=0
exe="/sbin/mount.ntfs-3g" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="media"
pid=4457 scontext=system_u:system_r:mount_ntfs_t:s0 sgid=0
subj=system_u:system_r:mount_ntfs_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:mnt_t:s0 tty=(none) uid=0
Comment 1 Rahul Sundaram 2007-07-28 07:08:51 EDT
SELinux policies are maintained centrally in selinux targeted policy usually.
Reassigning. Thanks for the report. 
Comment 2 Antti Huhtala 2007-07-28 12:31:52 EDT
(In reply to comment #0)
> 
> NTFS-3G does not automount externally plugged USB hard drives
> 
Since July 25th neither do my hard disk ntfs partitions automount in my x86_64
system although the day before they did.
The problem seems to stem from selinux operation in my case, too. From dmesg:

audit(1185638284.909:4): avc:  denied  { search } for  pid=1426
comm="mount.ntfs-3g" name="mnt" dev=dm-0 ino=4489217
scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:mnt_t:s0
tclass=dir
audit(1185638285.006:5): avc:  denied  { search } for  pid=1434
comm="mount.ntfs-3g" name="mnt" dev=dm-0 ino=4489217
scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:mnt_t:s0
tclass=dir

From yum.log: 
Jul 25 09:54:49 Updated: selinux-policy.noarch 2.6.4-28.fc7
<snip>
Jul 25 09:59:50 Updated: selinux-policy-targeted.noarch 2.6.4-28.fc7

I guess one or both of these files contain the explanation.
Comment 3 Claude Jones 2007-07-29 09:20:19 EDT
I am also experiencing the problem. Manual mount works. I tried relabeling, but
that didn't fix the issue. 
Comment 4 Daniel Walsh 2007-07-30 09:39:24 EDT
Fixed in selinux-policy-2.6.4-30.fc7
Comment 5 Claude Jones 2007-08-01 01:09:30 EDT
(In reply to comment #4)
> Fixed in selinux-policy-2.6.4-30.fc7

I installed the above from testing tonight, but, I'm still getting the same
errors. There were errors trying to mount during reboot, and when the system
came up, clicking on my NTFS partition icon on the desktop gave me a permission
denied error. Manually mounting from root did work. At least for me, it's still
not fixed.
Comment 6 Claude Jones 2007-08-01 01:12:26 EDT
(In reply to comment #5)
> (In reply to comment #4)
> > Fixed in selinux-policy-2.6.4-30.fc7
> 
> I installed the above from testing tonight, but, I'm still getting the same
> errors. There were errors trying to mount during reboot, and when the system
> came up, clicking on my NTFS partition icon on the desktop gave me a permission
> denied error. Manually mounting from root did work. At least for me, it's still
> not fixed.

just to add:
# rpm -qa | grep selinux
libselinux-2.0.14-4.fc7
selinux-policy-targeted-2.6.4-30.fc7
selinux-policy-2.6.4-30.fc7
libselinux-python-2.0.14-4.fc7
Comment 7 Antti Huhtala 2007-08-01 04:57:40 EDT
Today pup offered me 12 updates including the following:

Aug 01 08:15:01 Installed: checkpolicy.x86_64 2.0.3-1.fc7
Aug 01 08:15:12 Updated: policycoreutils.x86_64 2.0.16-11.fc7
Aug 01 08:15:20 Updated: selinux-policy.noarch 2.6.4-29.fc7
Aug 01 08:16:34 Updated: autofs.x86_64 5.0.1-23
Aug 01 08:17:02 Updated: selinux-policy-targeted.noarch 2.6.4-29.fc7

I don't know about selinux-policy-2.6.4-30.fc7 because it hasn't been on offer
to me yet but I can confirm that selinux-policy.noarch 2.6.4-29.fc7 did not help
in automounting my NTFS partitions. NTFS Configuration Tool still works with no
objections, however.
Comment 8 Ian Malone 2007-08-01 14:20:31 EDT
Automount still broken here too (selinux enforcing, policy targeted):

[ian@prometheus ~]$ rpm -q selinux-policy-targeted
selinux-policy-targeted-2.6.4-30.fc7
[ian@prometheus ~]$ rpm -q selinux-policy
selinux-policy-2.6.4-30.fc7
[ian@prometheus ~]$ dmesg|grep ntfs
audit(1185991690.781:4): avc:  denied  { write } for  pid=1569
comm="mount.ntfs-3g" name="tmp" dev=dm-0 ino=507905
scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=dir
audit(1185991690.862:5): avc:  denied  { write } for  pid=1571
comm="mount.ntfs-3g" name="tmp" dev=dm-0 ino=507905
scontext=system_u:system_r:mount_ntfs_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=dir
Comment 9 Ingemar Nilsson 2007-08-03 09:17:31 EDT
I can also confirm that automounting of NTFS partitions still don't work. I got
the selinux-policy-targeted-2.6.4-30.fc7 in today's batch of updates, and I
rebooted to see if it fixed the problem, which it didn't.
Comment 10 Stefan Zakarias 2007-08-03 23:55:27 EDT
I'll also add to the growing "confirm same problem" list...

selinux-policy-targeted-2.6.4-30.fc7
selinux-policy-2.6.4-30.fc7
ntfs-3g-1.710-1.fc7
fuse-2.7.0-3.fc7
kernel-2.6.22.1-41.fc7

Pretty much the same as Ian Malone describes in dmesg|grep ntfs.
Comment 11 Antti Huhtala 2007-08-04 03:41:43 EDT
Now that I've also got 2.6.4-30.fc7 versions of selinux-policy and
selinux-policy-targeted, 'avc: denied { search }' has changed to 'avc: denied {
write }' and 'name="mnt"' has changed to 'name="tmp"'. Otherwise I don't see any
essential changes... still no automount of NTFS partitions.
Comment 12 Mariusz Wasiluk 2007-08-04 06:11:09 EDT
Created attachment 160691 [details]
Policy module for ntfs-3g

allow mount_ntfs_t tmp_t:dir { write add_name create remove_name };
Comment 13 Mariusz Wasiluk 2007-08-04 06:12:07 EDT
I have written a policy TE file for ntfs-3g:

[~]# cat ntfs3g.te 
module ntfs3g 1.0.0;

require {
        type mount_ntfs_t;
        type tmp_t;
        class dir { write add_name create remove_name };
}

#============= mount_ntfs_t ==============
allow mount_ntfs_t tmp_t:dir { write add_name create remove_name };

Then generated policy module ntfs3g.pp (should be added in attachment).

To load this module, as root, type:
semodule -i ntfs3g.pp

If is needed "search" should be added to the ntfs3g.te file to the lists in
brackets. Then generate policy module following
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 and load it.

I hope it help...
Comment 14 Stefan Zakarias 2007-08-04 13:54:58 EDT
(In reply to comment #13)
> I have written a policy TE file for ntfs-3g:
> I hope it help...

Thank you! It works on my rig :)
Comment 15 Landon Kelsey 2007-08-04 15:34:56 EDT
problem with "fixes" is that they are non-standard and can cause conflict 
later when the true solution unwinds.

Also, from the viewpoint of newbies, they will not preform your fix.

Who wants to be a SELINUX technician?

FC7 will be judged swiftly!
Comment 16 Daniel Walsh 2007-08-06 18:59:05 EDT
Fixed in selinux-policy 2.6.4-33.fc7
Comment 17 Antti Huhtala 2007-08-09 06:42:39 EDT
(In reply to comment #16)
> Fixed in selinux-policy 2.6.4-33.fc7

Today's updates including selinux-policy 2.6.4-33.fc7 packages did indeed fix
NTFS  partitions' automount in my x86_64 desktop. Thanks!
Comment 18 Ingemar Nilsson 2007-08-17 05:52:18 EDT
I can also confirm that this update fixed the problem for me.

Note You need to log in before you can comment on or make changes to this bug.