Bug 290941 - SELinux is preventing /usr/bin/runcon (unconfined_execmem_t) "transition" to /bin/umount (unconfined_t).
SELinux is preventing /usr/bin/runcon (unconfined_execmem_t) "transition" to ...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-09-14 10:58 EDT by Dag Bjerkeli
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-09-21 14:05:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Entries in /var/log/messages from reoot of 14th sep. (94.67 KB, text/plain)
2007-09-18 04:11 EDT, Dag Bjerkeli
no flags Details

  None (edit)
Description Dag Bjerkeli 2007-09-14 10:58:48 EDT
Description of problem:
I'm getting a SElinux denial when rebooting system.

Version-Release number of selected component (if applicable):

How reproducible:
Looks like everytime I reboot the system

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
I have some NFS shares that I mount in /etc/fstab, its those that triggers
SElinux. At least thats what it lookslike for me.

Here is the output from setroubleshooter browser regarding the entry:

Source Context:  user_u:system_r:unconfined_execmem_t
Target Context:  user_u:system_r:unconfined_t
Target Objects:  /bin/umount [ process ]
Affected RPM Packages:  coreutils-6.9-3.fc7
[application]util-linux-2.13-0.54.fc7 [target]
Policy RPM:  selinux-policy-2.6.4-40.fc7
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall
Host Name:  dag.inputdata.no
Platform:  Linux dag.inputdata.no #1 SMP Thu Aug 30 13:47:21 EDT
2007 i686 i686
Alert Count:  6
First Seen:  tir 14-08-2007 15:30:29 CEST
Last Seen:  fre 14-09-2007 16:42:22 CEST
Local ID:  d6a665be-1cfb-4d63-9efb-5adcd9a1eebb
Line Numbers:  
Raw Audit Messages :
avc: denied { transition } for comm="runcon" dev=dm-0 egid=0 euid=0
exe="/usr/bin/runcon" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="umount"
path="/bin/umount" pid=4039 scontext=user_u:system_r:unconfined_execmem_t:s0
sgid=0 subj=user_u:system_r:unconfined_execmem_t:s0 suid=0 tclass=process
tcontext=user_u:system_r:unconfined_t:s0 tty=pts0 uid=0
Comment 1 Daniel Walsh 2007-09-14 13:40:13 EDT
What is executing runcon?  Nothing should be running this?
Comment 2 Dag Bjerkeli 2007-09-18 04:11:21 EDT
Created attachment 198211 [details]
Entries in /var/log/messages from reoot of 14th sep.
Comment 3 Dag Bjerkeli 2007-09-18 04:13:42 EDT
I'm getting these entries when I'm rebooting the system. I've attached some
output from /var/log/messages.
Comment 4 Daniel Walsh 2007-09-18 11:14:01 EDT
grep runcon /etc/rc.d/init.d/*

Something is running runcon which should not.
Comment 5 Dag Bjerkeli 2007-09-20 02:16:05 EDT
[root@dag ~]# grep runcon /etc/rc.d/init.d/*
/etc/rc.d/init.d/vmware:      runcon -t $context -- $command

Comment 6 Daniel Walsh 2007-09-21 14:05:38 EDT
This is a bug in vmware.  It should not be executing runcon in a script.

Please report this to them, and add me to the list.  If you remove the runcon
and only run $command does it work?
Comment 7 Dag Bjerkeli 2007-09-24 03:14:02 EDT
Thanks, I've modified the script as you suggested, and the warning were gone
from messages.  I could not find anything that indicated that I've run into a
different problem. So I'll file a bug at VMware.

Note You need to log in before you can comment on or make changes to this bug.