Red Hat Bugzilla – Bug 280341
Can not use fuse in autofs scripts
Last modified: 2008-01-30 14:20:50 EST
Description of problem: I want to automount curlftpfs filesystems using autofs. The problem is selinux does not allow scripts called from autofs to access /dev/fuse. I do not really understand why. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. Install the specified autofs scripts below 2. As root "chmod 755 /etc/auto.ftp" 3. As root "service autofs restart" 4. Run the command "ls /ftp/sunsite.unc.edu" Actual results: No directory is mounted. An selinux error is logged in the audit.log. Expected results: The directory should be mounted with no error. Additional info: audit2allow generated the following module for me, but I can not get it to work. [root@hartnell tmp]# cat local2007090602.te module local2007090602 1.0; require { type automount_t; type fixed_disk_device_t; class chr_file { read write }; } #============= automount_t ============== allow automount_t fixed_disk_device_t:chr_file { read write }; [root@hartnell tmp]# checkmodule -M -m -o local2007090602.mod local2007090602.techeckmodule: loading policy configuration from local2007090602.te checkmodule: policy configuration loaded checkmodule: writing binary representation (version 6) to local2007090602.mod [root@hartnell tmp]# semodule_package -o local2007090602.pp -m local2007090602.mod [root@hartnell tmp]# semodule -v -i local2007090602.ppAttempting to install module 'local2007090602.pp': Ok: return value of 0. Committing changes: libsepol.check_assertion_helper: assertion on line 0 violated by allow automount_t fixed_disk_device_t:chr_file { write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow automount_t fixed_disk_device_t:chr_file { read }; libsepol.check_assertions: 2 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! The following are the autofs files I am using: [root@hartnell tmp]# grep -v ^# /etc/auto.master /misc /etc/auto.misc /net -hosts /ftp /etc/auto.ftp /autohome /etc/auto.home +auto.master [root@hartnell tmp]# cat /etc/auto.ftp #!/bin/bash ( key=$1 p=/ftp/$key if [ ! -d $p ] then mkdir -p $p fi curlftpfs -o allow_other,fsname=$key ftp://$key $p || rmdir $p ) 1>&2
Note: I notice malicious path names could cause problems with my script. So I revised it to add quotes around the variables.
I do not know that much about curlftpfs. But I think it needs to be able to set a file context on the mounted file system, or add xattr support. allow automount_t fixed_disk_device_t:chr_file { read write }; This would be a very bad idea, since it allows automount to write to any disk on the machine. So curelftpfs needs to work better with selinux, either allowing the user to specifiy a default context for the mounted file system, like mount does, or support xattrs which we can assign context to.
Dan, I don't understand your suggestion... curlftpfs, as the name suggests, accesses an FTP server and mounts it into the filesystem. FTP doesn't support xattrs, period ... to get xattrs you'd have to modify FTP at a protocol level, wouldn't you? Secondly - isn't this a generic problem with fuse rather than something specific to curlftpfs? I think that all the components that would do the low level stuff would be in fuse - I'm no expert though (I'm just the packager!).
I think we can pretty much rule out xattr support. What char file is actually labeled fixed_disk_device_t? The raw denial message should have an inode number (use find -ino) and at least part of a path name. Maybe if we find a better way to label that char file this won't be an issue. Doesn't seem like he is complaining that the labels on the fs data are problomatic, just the char file label. I don't have any idea how this fusefs works but my assumption is that something is creating a new /dev/ file which if labeled more specifically we might be able to get working....
Isn't there a way to write the policy that only grants access to /dev/fuse to automount_t? BTW. I would expect automount_t to be able to have write access to every disk on the system, for the express purpose of mounting the disks... But in this case, I only need to grant access to one such device. If there is an selinux command I can used to change /dev/fuse that would work as well. Although, I guess the command would have to be added to the udev files. Perhaps then we might have a problem of udev not being allowed to run the appropriate SELinux command. Bill
Eric: As Bill's comment implies, the only device file used by FUSE is /dev/fuse. What this means for SELinux I don't really know...
Oh this is so obvious. I should have thought of it sooner: [root@hartnell tmp]# chcon --reference=$(which mount) $(which curlftpfs) [root@hartnell tmp]# ls /ftp/sunsite.unc.edu HEADER.html HEADER.images incoming pub README unc So the problem is not with the automount_t policy, but that curlftpfs is installed with the wrong security context.
Assigning bug back to selinux, in light of #7.
I have created a new type for /dev/fuse (fuse_dev_t) Fixed in selinux-policy-2.6.4-43.fc7.src.rpm
Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen.