Bug 280341 - Can not use fuse in autofs scripts
Can not use fuse in autofs scripts
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: David Anderson
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-09-06 07:57 EDT by Bill C. Riemers
Modified: 2008-01-30 14:20 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-30 14:20:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Bill C. Riemers 2007-09-06 07:57:29 EDT
Description of problem:

I want to automount curlftpfs filesystems using autofs.  The problem is selinux
does not allow scripts called from autofs to access /dev/fuse.  I do not really
understand why.

Version-Release number of selected component (if applicable):

How reproducible:


Steps to Reproduce:
1. Install the specified autofs scripts below
2. As root "chmod 755 /etc/auto.ftp"
3. As root "service autofs restart"
4. Run the command "ls /ftp/sunsite.unc.edu"
Actual results:

No directory is mounted.  An selinux error is logged in the audit.log.

Expected results:

The directory should be mounted with no error.

Additional info:

audit2allow generated the following module for me, but I can not get it to work.

[root@hartnell tmp]# cat local2007090602.te
module local2007090602 1.0;

require {
        type automount_t;
        type fixed_disk_device_t;
        class chr_file { read write };

#============= automount_t ==============
allow automount_t fixed_disk_device_t:chr_file { read write };
[root@hartnell tmp]# checkmodule -M -m -o local2007090602.mod
local2007090602.techeckmodule:  loading policy configuration from local2007090602.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 6) to local2007090602.mod
[root@hartnell tmp]# semodule_package -o local2007090602.pp -m local2007090602.mod
[root@hartnell tmp]# semodule -v -i local2007090602.ppAttempting to install
module 'local2007090602.pp':
Ok: return value of 0.
Committing changes:
libsepol.check_assertion_helper: assertion on line 0 violated by allow
automount_t fixed_disk_device_t:chr_file { write };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
automount_t fixed_disk_device_t:chr_file { read };
libsepol.check_assertions: 2 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

The following are the autofs files I am using:

[root@hartnell tmp]# grep -v ^# /etc/auto.master
/misc   /etc/auto.misc
/net    -hosts
/ftp    /etc/auto.ftp
/autohome       /etc/auto.home
[root@hartnell tmp]# cat /etc/auto.ftp
if [ ! -d $p ]
  mkdir -p $p
curlftpfs -o allow_other,fsname=$key ftp://$key $p || rmdir $p
) 1>&2
Comment 1 Bill C. Riemers 2007-09-06 08:01:54 EDT
Note: I notice malicious path names could cause problems with my script.  So I
revised it to add quotes around the variables.
Comment 2 Daniel Walsh 2007-09-06 10:24:17 EDT
I do not know that much about curlftpfs.  But I think it needs to be able to set
a file context on the mounted file system, or add xattr support.  

allow automount_t fixed_disk_device_t:chr_file { read write };

This would be a very bad idea, since it allows automount to write to any disk on
the machine.

So curelftpfs needs to work better with selinux, either allowing the user to
specifiy a default context for the mounted file system, like mount does, or
support xattrs which we can assign context to.
Comment 3 David Anderson 2007-09-06 10:50:37 EDT
Dan, I don't understand your suggestion... curlftpfs, as the name suggests, 
accesses an FTP server and mounts it into the filesystem. FTP doesn't support 
xattrs, period ... to get xattrs you'd have to modify FTP at a protocol level, 
wouldn't you?

Secondly - isn't this a generic problem with fuse rather than something 
specific to curlftpfs? I think that all the components that would do the low 
level stuff would be in fuse - I'm no expert though (I'm just the packager!).
Comment 4 Eric Paris 2007-09-06 10:54:35 EDT
I think we can pretty much rule out xattr support.  What char file is actually
labeled fixed_disk_device_t?  The raw denial message should have an inode number
(use find -ino) and at least part of a path name.  Maybe if we find a better way
to label that char file this won't be an issue.  Doesn't seem like he is
complaining that the labels on the fs data are problomatic, just the char file
label.  I don't have any idea how this fusefs works but my assumption is that
something is creating a new /dev/ file which if labeled more specifically we
might be able to get working....
Comment 5 Bill C. Riemers 2007-09-06 11:01:58 EDT
Isn't there a way to write the policy that only grants access to /dev/fuse to
automount_t?  BTW.  I would expect automount_t to be able to have write access
to every disk on the system, for the express purpose of mounting the disks... 
But in this case, I only need to grant access to one such device.  If there is
an selinux command I can used to change /dev/fuse that would work as well. 
Although, I guess the command would have to be added to the udev files.  Perhaps
then we might have a problem of udev not being allowed to run the appropriate
SELinux command.

Comment 6 David Anderson 2007-09-06 11:10:13 EDT
Eric: As Bill's comment implies, the only device file used by FUSE 
is /dev/fuse. What this means for SELinux I don't really know...
Comment 7 Bill C. Riemers 2007-09-06 11:19:26 EDT
Oh this is so obvious.  I should have thought of it sooner:

[root@hartnell tmp]# chcon --reference=$(which mount) $(which curlftpfs)
[root@hartnell tmp]# ls /ftp/sunsite.unc.edu
HEADER.html  HEADER.images  incoming  pub  README  unc

So the problem is not with the automount_t policy, but that curlftpfs is
installed with the wrong security context.
Comment 8 David Anderson 2007-09-07 12:52:35 EDT
Assigning bug back to selinux, in light of #7.
Comment 9 Daniel Walsh 2007-09-13 12:52:33 EDT
I have created a new type for /dev/fuse (fuse_dev_t)  
Fixed in selinux-policy-2.6.4-43.fc7.src.rpm
Comment 10 Daniel Walsh 2008-01-30 14:20:50 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.