Bug 437282 - selinux denial on latest fuse update
selinux denial on latest fuse update
Status: CLOSED DUPLICATE of bug 437634
Product: Fedora
Classification: Fedora
Component: fuse (Show other bugs)
8
All Linux
low Severity medium
: ---
: ---
Assigned To: Peter Lemenkov
Fedora Extras Quality Assurance
:
: 437420 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-13 07:42 EDT by Bradley
Modified: 2008-03-17 10:37 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-15 11:47:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bradley 2008-03-13 07:42:33 EDT
Description of problem:

Latest fuse update (fuse-2.7.3-2.fc8) now runs an initscript. With selinux, this
fails.

Version-Release number of selected component (if applicable):

fuse-2.7.3-2.fc8
selinux-policy-3.0.8-87.fc8

How reproducible:

Always

Steps to Reproduce:

[root@plum ~]# /etc/rc.d/init.d/fuse start
  
Actual results:

Loading fuse module.
Mounting fuse control filesystem failed!

fusectl not mounted

Expected results:

No error

Additional info:

mount -t fusectl fusectl /sys/fs/fuse/connections

works. strace -f on the initscript call shows the failing call is

4047  mount("fusectl", "/sys/fs/fuse/connections", "fusectl"..., MS_MGC_VAL,
NULL) = -1 EACCES (Permission denied)

sealert applet says:

Summary:

SELinux is preventing mount (mount_t) "mount" to / (unlabeled_t).

Detailed Description:

SELinux denied access requested by mount. It is not expected that this access is
required by mount and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:mount_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                / [ filesystem ]
Source                        mount
Source Path                   /bin/mount
Port                          <Unknown>
Host                          plum.home
Source RPM Packages           util-linux-ng-2.13.1-1.fc8
Target RPM Packages           filesystem-2.4.11-1.fc8
Policy RPM                    selinux-policy-3.0.8-87.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     plum.home
Platform                      Linux plum.home 2.6.24.3-12.fc8 #1 SMP Tue Feb 26
                              14:21:30 EST 2008 x86_64 x86_64
Alert Count                   4
First Seen                    Thu 13 Mar 2008 22:35:48 EST
Last Seen                     Thu 13 Mar 2008 22:37:39 EST
Local ID                      35c4e379-a969-48c6-b501-05836c7bced1
Line Numbers                  

Raw Audit Messages            

host=plum.home type=AVC msg=audit(1205408259.985:53): avc:  denied  { mount }
for  pid=4047 comm="mount" name="/" dev=fusectl ino=1
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=filesystem

host=plum.home type=SYSCALL msg=audit(1205408259.985:53): arch=c000003e
syscall=165 success=no exit=-13 a0=2aaaaacd9d10 a1=2aaaaacdb0d0 a2=2aaaaacdb100
a3=ffffffffc0ed0001 items=0 ppid=4032 pid=4047 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 comm="mount" exe="/bin/mount"
subj=system_u:system_r:mount_t:s0 key=(null)
Comment 1 Adrian 2008-03-13 17:08:08 EDT
I am experiencing the same problem.
Comment 2 Peter Lemenkov 2008-03-14 05:58:22 EDT
*** Bug 437420 has been marked as a duplicate of this bug. ***
Comment 3 Dmitry Monakhov 2008-03-14 10:27:26 EDT
I have the same problem.
Comment 4 Jon Riding 2008-03-14 13:31:41 EDT
Same here. Worked around with:

# grep mount /var/log/messages | audit2allow -M mymount
# semodule -i mymount.pp

Comment 5 Ilya Ryabinkin 2008-03-14 17:38:11 EDT
I confirm the bug
Comment 6 Kevin R. Page 2008-03-15 10:04:09 EDT
This is probably a problem with SELinux policy - could the reporter reassigned
the bug to the selinux-policy component, please? This should ensure it's dealt
with promptly.
Comment 7 Jonathan Underwood 2008-03-15 11:47:23 EDT
Actually I just reported this as a bug against SElinux before I stumbled across
this report.

https://bugzilla.redhat.com/show_bug.cgi?id=437634

Will mark this bug as a duplicate of 437634 even though this bug was reported first.



*** This bug has been marked as a duplicate of 437634 ***
Comment 8 Suvayu 2008-03-17 10:37:04 EDT
I got this exact same problem after the last system update.

during system boot i get,
fuse control file system failure 

Note You need to log in before you can comment on or make changes to this bug.