290941 – SELinux is preventing /usr/bin/runcon (unconfined_execmem_t) "transition" to /bin/umount (unconfined_t).

Bug 290941 - SELinux is preventing /usr/bin/runcon (unconfined_execmem_t) "transition" to /bin/umount (unconfined_t).

Summary: SELinux is preventing /usr/bin/runcon (unconfined_execmem_t) "transition" to ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	7
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-09-14 14:58 UTC by Dag Bjerkeli
Modified:	2007-11-30 22:12 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2007-09-21 18:05:38 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Entries in /var/log/messages from reoot of 14th sep. (94.67 KB, text/plain) 2007-09-18 08:11 UTC, Dag Bjerkeli	no flags	Details
View All

Description Dag Bjerkeli 2007-09-14 14:58:48 UTC

Description of problem:
I'm getting a SElinux denial when rebooting system.

Version-Release number of selected component (if applicable):


How reproducible:
Looks like everytime I reboot the system

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
I have some NFS shares that I mount in /etc/fstab, its those that triggers
SElinux. At least thats what it lookslike for me.

Here is the output from setroubleshooter browser regarding the entry:

Source Context:  user_u:system_r:unconfined_execmem_t
Target Context:  user_u:system_r:unconfined_t
Target Objects:  /bin/umount [ process ]
Affected RPM Packages:  coreutils-6.9-3.fc7
[application]util-linux-2.13-0.54.fc7 [target]
Policy RPM:  selinux-policy-2.6.4-40.fc7
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall
Host Name:  dag.inputdata.no
Platform:  Linux dag.inputdata.no 2.6.22.5-76.fc7 #1 SMP Thu Aug 30 13:47:21 EDT
2007 i686 i686
Alert Count:  6
First Seen:  tir 14-08-2007 15:30:29 CEST
Last Seen:  fre 14-09-2007 16:42:22 CEST
Local ID:  d6a665be-1cfb-4d63-9efb-5adcd9a1eebb
Line Numbers:  
Raw Audit Messages :
avc: denied { transition } for comm="runcon" dev=dm-0 egid=0 euid=0
exe="/usr/bin/runcon" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="umount"
path="/bin/umount" pid=4039 scontext=user_u:system_r:unconfined_execmem_t:s0
sgid=0 subj=user_u:system_r:unconfined_execmem_t:s0 suid=0 tclass=process
tcontext=user_u:system_r:unconfined_t:s0 tty=pts0 uid=0

Comment 1 Daniel Walsh 2007-09-14 17:40:13 UTC

What is executing runcon?  Nothing should be running this?

Comment 2 Dag Bjerkeli 2007-09-18 08:11:21 UTC

Created attachment 198211 [details]
Entries in /var/log/messages from reoot of 14th sep.

Comment 3 Dag Bjerkeli 2007-09-18 08:13:42 UTC

I'm getting these entries when I'm rebooting the system. I've attached some
output from /var/log/messages.

Comment 4 Daniel Walsh 2007-09-18 15:14:01 UTC

grep runcon /etc/rc.d/init.d/*

Something is running runcon which should not.

Comment 5 Dag Bjerkeli 2007-09-20 06:16:05 UTC

[root@dag ~]# grep runcon /etc/rc.d/init.d/*
/etc/rc.d/init.d/vmware:      runcon -t $context -- $command

Comment 6 Daniel Walsh 2007-09-21 18:05:38 UTC

This is a bug in vmware.  It should not be executing runcon in a script.

Please report this to them, and add me to the list.  If you remove the runcon
and only run $command does it work?

Comment 7 Dag Bjerkeli 2007-09-24 07:14:02 UTC

Thanks, I've modified the script as you suggested, and the warning were gone
from messages.  I could not find anything that indicated that I've run into a
different problem. So I'll file a bug at VMware.

Note You need to log in before you can comment on or make changes to this bug.