Description of problem: When I plug in a disc with reiserfs partition GNOME is unable to mount it and I get this: SELinux prevented /bin/mount from mounting on the file or directory "" (type "unlabeled_t"). Version-Release number of selected component (if applicable): This is with SELinux enabled and Enforcing, targeted (installation default).
That is strange. It is supposed to be labeled nfs_t since reiserfs support to extended attributes is broken. If you mount it by hand, what does the mount table show?
The mount table? The SELinux context is system_u:object_r:nfs_t:s0 if that's what you mean. Probably when I plug it in it still doesn't have any context. I don't know.
Please attach the avc and the output from the mount command when the device is mounted by hand.
avc: denied { search } for comm=mount dev=sdb2 egid=0 euid=0 exe=/bin/mount exit=-95 fsgid=0 fsuid=0 gid=0 items=0 name=/ pid=10525 scontext=system_u:system_r:mount_t:s0 sgid=0 subj=system_u:system_r:mount_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:unlabeled_t:s0 tty=(none) uid=0 I don't know what you mean by mount command. This? /dev/sdb2 on /tmp/felipec/mnt type reiserfs (rw)
Looks like a kernel problem. Current F8 policy has genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
We used to encounter those search denials on reiserfs due to it performing internal lookups on its xattr subdirectories, but those should have been resolved by the changes to mark those inodes private and have the security hooks ignore such inodes. I don't know - I don't use reiserfs.
What?! Why won't fix? Just format an USB key with reiserfs and you'll reproduce it.
was this working for you under F7? I just ask because F7 is the only thing I ahve in front of me and it worked for me there. Wanted to make sure reinstalling it going to help me reproduce...
When I was using F7 I had so many problems that I disabled SELinux. I probably can check my work's laptop, but it might take a while.
I went ahead and installed F8 and was able to reproduce the problem. I'm working now to find what reiserfs changed between F7 and F8. Dan also explained to me the transitions going on here by hand it is: unconfined_t -> mount_exec_t -> unconfined_mount_t from gnome: whatever???? -> mount_exec_t -> mount_t and apparently unconfined_mount_t has search perms on unlabeled_t. (The fact that anything is unlabeled is a reiserfs problem, not selinux I believe) But I do wonder if the mount domain might not have been different enough in F7 that the same bug might be there but policy allows it.... Most of this is just so I don't forget what I figured out already...
Oh yeah, dmesg from the failed gnome mount. ReiserFS: sde1: found reiserfs format "3.6" with standard journal ReiserFS: sde1: using ordered data mode ReiserFS: sde1: journal params: device sde1, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 ReiserFS: sde1: checking transaction log (sde1) ReiserFS: sde1: Using r5 hash to sort names ReiserFS: sde1: warning: xattrs/ACLs enabled and couldn't find/create .reiserfs_priv. Failing mount.
mount_t search on unlabeled_t may be required to allow initialization of reiserfs due to its funky way of storing xattrs as files in a private directory. The lookup of .reiserfs_priv probably happens before we have had a chance to set up the root inode security blob, so it is always unlabeled (allocated, but not set up).
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.0.8-62.fc8
I tried: yum update selinux-policy --enablerepo=updates-testing So now I have selinux-policy-3.0.8-62.fc8 and it still doesn't work.
do you have the denial messages? make it happen, then run: ausearch -m AVC -ts recent and give those to us? I'll try to get over to that F8 machine again to look at it myself.
type=SYSCALL msg=audit(1196449503.510:6331): arch=40000003 syscall=21 success=no exit=-95 a0=b8bbf238 a1=b8bbf248 a2=b8bbf258 a3=c0ed0006 items=0 ppid=476 pid=478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) type=AVC msg=audit(1196449503.510:6331): avc: denied { search } for pid=478 comm="mount" name="/" dev=sdb2 ino=2 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
Fixed in selinux-policy-3.0.8-62.fc8
Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen.