Bug 437634 - SELinux is preventing mount (mount_t) "mount" to / (unlabeled_t).
SELinux is preventing mount (mount_t) "mount" to / (unlabeled_t).
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
: 437282 437759 438223 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-15 11:34 EDT by Jonathan Underwood
Modified: 2008-03-24 16:46 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-16 16:45:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jonathan Underwood 2008-03-15 11:34:45 EDT
Description of problem:
SElinux avc denial is preventing the fuse control filesystem being mounted:

# /sbin/service fuse start
Fuse filesystem already available.
Mounting fuse control filesystem failed!

The avc denial that comes up is:


Summary:

SELinux is preventing mount (mount_t) "mount" to / (unlabeled_t).

Detailed Description:

SELinux denied access requested by mount. It is not expected that this access is
required by mount and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:mount_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                / [ filesystem ]
Source                        mount
Source Path                   /bin/mount
Port                          <Unknown>
Host                          renton.jgu
Source RPM Packages           util-linux-ng-2.13.1-1.fc8
Target RPM Packages           filesystem-2.4.11-1.fc8
Policy RPM                    selinux-policy-3.0.8-87.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     renton.jgu
Platform                      Linux renton.jgu 2.6.24.3-34.fc8 #1 SMP Wed Mar 12
                              16:51:49 EDT 2008 x86_64 x86_64
Alert Count                   4
First Seen                    Sat 15 Mar 2008 15:25:55 GMT
Last Seen                     Sat 15 Mar 2008 15:33:36 GMT
Local ID                      d8d3a5ed-cd67-4f81-8fa1-81e25f2c0e4b
Line Numbers                  

Raw Audit Messages            

host=renton.jgu type=AVC msg=audit(1205595216.980:38): avc:  denied  { mount }
for  pid=7475 comm="mount" name="/" dev=fusectl ino=1
scontext=unconfined_u:system_r:mount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem

host=renton.jgu type=SYSCALL msg=audit(1205595216.980:38): arch=c000003e
syscall=165 success=no exit=-13 a0=2aaaaacd96b0 a1=2aaaaacdaa70 a2=2aaaaacdaaa0
a3=ffffffffc0ed0001 items=0 ppid=7470 pid=7475 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="mount" exe="/bin/mount"
subj=unconfined_u:system_r:mount_t:s0 key=(null)



Version-Release number of selected component (if applicable):
# rpm -qa | grep fuse
fuse-libs-2.7.3-2.fc8
fuse-sshfs-1.9-2.fc8
fuse-2.7.3-2.fc8
fuse-libs-2.7.3-2.fc8

# rpm -qa | grep selinux
selinux-policy-devel-3.0.8-87.fc8
libselinux-python-2.0.43-1.fc8
selinux-policy-targeted-3.0.8-87.fc8
libselinux-2.0.43-1.fc8
selinux-policy-3.0.8-87.fc8
libselinux-2.0.43-1.fc8


How reproducible:
Everytime.

Steps to Reproduce:
1./sbin/service fuse start
2.
3.
Comment 1 Jonathan Underwood 2008-03-15 11:37:05 EDT
Installed latest policy from updates-testing: 
# rpm -qa | grep selinux
libselinux-python-2.0.43-1.fc8
selinux-policy-targeted-3.0.8-87.fc8
libselinux-2.0.43-1.fc8
selinux-policy-devel-3.0.8-93.fc8
selinux-policy-3.0.8-93.fc8
libselinux-2.0.43-1.fc8


And still see the problem:

Summary:

SELinux is preventing mount (mount_t) "mount" to / (unlabeled_t).

Detailed Description:

SELinux denied access requested by mount. It is not expected that this access is
required by mount and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:mount_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                / [ filesystem ]
Source                        mount
Source Path                   /bin/mount
Port                          <Unknown>
Host                          renton.jgu
Source RPM Packages           util-linux-ng-2.13.1-1.fc8
Target RPM Packages           filesystem-2.4.11-1.fc8
Policy RPM                    selinux-policy-3.0.8-93.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     renton.jgu
Platform                      Linux renton.jgu 2.6.24.3-34.fc8 #1 SMP Wed Mar 12
                              16:51:49 EDT 2008 x86_64 x86_64
Alert Count                   6
First Seen                    Sat 15 Mar 2008 15:25:55 GMT
Last Seen                     Sat 15 Mar 2008 15:35:53 GMT
Local ID                      d8d3a5ed-cd67-4f81-8fa1-81e25f2c0e4b
Line Numbers                  

Raw Audit Messages            

host=renton.jgu type=AVC msg=audit(1205595353.781:40): avc:  denied  { mount }
for  pid=7756 comm="mount" name="/" dev=fusectl ino=1
scontext=unconfined_u:system_r:mount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem

host=renton.jgu type=SYSCALL msg=audit(1205595353.781:40): arch=c000003e
syscall=165 success=no exit=-13 a0=2aaaaacd96b0 a1=2aaaaacdaa70 a2=2aaaaacdaaa0
a3=ffffffffc0ed0001 items=0 ppid=7751 pid=7756 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="mount" exe="/bin/mount"
subj=unconfined_u:system_r:mount_t:s0 key=(null)



Comment 2 Jonathan Underwood 2008-03-15 11:42:37 EDT
The relevant part of /etc/init.d/fuse:

MOUNTPOINT=/sys/fs/fuse/connections

....


if grep -qw fusectl /proc/filesystems && \
           ! grep -qw $MOUNTPOINT /proc/mounts; then
                echo -n "Mounting fuse control filesystem"
                if ! mount -t fusectl fusectl $MOUNTPOINT >/dev/null 2>&1; then
                        echo " failed!"
                        exit 1
Comment 3 Jonathan Underwood 2008-03-15 11:47:24 EDT
*** Bug 437282 has been marked as a duplicate of this bug. ***
Comment 4 Jeffrey Tadlock 2008-03-16 08:07:37 EDT
Just adding a 'me too' to the bug as well.  F8, fully updated (as of 2008-03-16)
and unable to start the fuse service due to SElinux avc denial.  

setroubleshoot's message is the same as Jonathan has posted above.  "SELinux is
preventing mount (mount_t) "mount" to / (unlabeled_t)."
Comment 5 Jeffrey Tadlock 2008-03-16 16:11:58 EDT
The problem appears to have gone away with this afternoon's updates.  No error
on system start up and a 'service fuse stop' followed by 'service fuse start'
worked.  

These are the selinux packages I have after the update this afternoon (3/16/08
PM EDT).

rpm -qa | grep selinux
selinux-policy-targeted-3.0.8-93.fc8
selinux-policy-3.0.8-93.fc8
selinux-policy-devel-3.0.8-93.fc8
libselinux-2.0.43-1.fc8
libselinux-python-2.0.43-1.fc8
Comment 6 Jonathan Underwood 2008-03-16 16:45:14 EDT
Hm - spurred on by comment #5, I realized that, while I had updated
selinux-policy to 3.0.8-93.fc8, that hadn't pulled in the updated
selinux-policy-targeted, which was still 3.0.8-87.fc8. Updated s-p-targeted to
3.0.8-93.fc8 does indeed seem to fix the problem here too.

Closing bug as ERRATA - reopen if this is not fixed for you with 3.0.8-93.fc8 of
the selinux policies.
Comment 7 Peter Lemenkov 2008-03-24 16:46:18 EDT
*** Bug 437759 has been marked as a duplicate of this bug. ***
Comment 8 Peter Lemenkov 2008-03-24 16:46:30 EDT
*** Bug 438223 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.