Description of problem: SElinux avc denial is preventing the fuse control filesystem being mounted: # /sbin/service fuse start Fuse filesystem already available. Mounting fuse control filesystem failed! The avc denial that comes up is: Summary: SELinux is preventing mount (mount_t) "mount" to / (unlabeled_t). Detailed Description: SELinux denied access requested by mount. It is not expected that this access is required by mount and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:mount_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects / [ filesystem ] Source mount Source Path /bin/mount Port <Unknown> Host renton.jgu Source RPM Packages util-linux-ng-2.13.1-1.fc8 Target RPM Packages filesystem-2.4.11-1.fc8 Policy RPM selinux-policy-3.0.8-87.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name renton.jgu Platform Linux renton.jgu 2.6.24.3-34.fc8 #1 SMP Wed Mar 12 16:51:49 EDT 2008 x86_64 x86_64 Alert Count 4 First Seen Sat 15 Mar 2008 15:25:55 GMT Last Seen Sat 15 Mar 2008 15:33:36 GMT Local ID d8d3a5ed-cd67-4f81-8fa1-81e25f2c0e4b Line Numbers Raw Audit Messages host=renton.jgu type=AVC msg=audit(1205595216.980:38): avc: denied { mount } for pid=7475 comm="mount" name="/" dev=fusectl ino=1 scontext=unconfined_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem host=renton.jgu type=SYSCALL msg=audit(1205595216.980:38): arch=c000003e syscall=165 success=no exit=-13 a0=2aaaaacd96b0 a1=2aaaaacdaa70 a2=2aaaaacdaaa0 a3=ffffffffc0ed0001 items=0 ppid=7470 pid=7475 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="mount" exe="/bin/mount" subj=unconfined_u:system_r:mount_t:s0 key=(null) Version-Release number of selected component (if applicable): # rpm -qa | grep fuse fuse-libs-2.7.3-2.fc8 fuse-sshfs-1.9-2.fc8 fuse-2.7.3-2.fc8 fuse-libs-2.7.3-2.fc8 # rpm -qa | grep selinux selinux-policy-devel-3.0.8-87.fc8 libselinux-python-2.0.43-1.fc8 selinux-policy-targeted-3.0.8-87.fc8 libselinux-2.0.43-1.fc8 selinux-policy-3.0.8-87.fc8 libselinux-2.0.43-1.fc8 How reproducible: Everytime. Steps to Reproduce: 1./sbin/service fuse start 2. 3.
Installed latest policy from updates-testing: # rpm -qa | grep selinux libselinux-python-2.0.43-1.fc8 selinux-policy-targeted-3.0.8-87.fc8 libselinux-2.0.43-1.fc8 selinux-policy-devel-3.0.8-93.fc8 selinux-policy-3.0.8-93.fc8 libselinux-2.0.43-1.fc8 And still see the problem: Summary: SELinux is preventing mount (mount_t) "mount" to / (unlabeled_t). Detailed Description: SELinux denied access requested by mount. It is not expected that this access is required by mount and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:mount_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects / [ filesystem ] Source mount Source Path /bin/mount Port <Unknown> Host renton.jgu Source RPM Packages util-linux-ng-2.13.1-1.fc8 Target RPM Packages filesystem-2.4.11-1.fc8 Policy RPM selinux-policy-3.0.8-93.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name renton.jgu Platform Linux renton.jgu 2.6.24.3-34.fc8 #1 SMP Wed Mar 12 16:51:49 EDT 2008 x86_64 x86_64 Alert Count 6 First Seen Sat 15 Mar 2008 15:25:55 GMT Last Seen Sat 15 Mar 2008 15:35:53 GMT Local ID d8d3a5ed-cd67-4f81-8fa1-81e25f2c0e4b Line Numbers Raw Audit Messages host=renton.jgu type=AVC msg=audit(1205595353.781:40): avc: denied { mount } for pid=7756 comm="mount" name="/" dev=fusectl ino=1 scontext=unconfined_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem host=renton.jgu type=SYSCALL msg=audit(1205595353.781:40): arch=c000003e syscall=165 success=no exit=-13 a0=2aaaaacd96b0 a1=2aaaaacdaa70 a2=2aaaaacdaaa0 a3=ffffffffc0ed0001 items=0 ppid=7751 pid=7756 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="mount" exe="/bin/mount" subj=unconfined_u:system_r:mount_t:s0 key=(null)
The relevant part of /etc/init.d/fuse: MOUNTPOINT=/sys/fs/fuse/connections .... if grep -qw fusectl /proc/filesystems && \ ! grep -qw $MOUNTPOINT /proc/mounts; then echo -n "Mounting fuse control filesystem" if ! mount -t fusectl fusectl $MOUNTPOINT >/dev/null 2>&1; then echo " failed!" exit 1
*** Bug 437282 has been marked as a duplicate of this bug. ***
Just adding a 'me too' to the bug as well. F8, fully updated (as of 2008-03-16) and unable to start the fuse service due to SElinux avc denial. setroubleshoot's message is the same as Jonathan has posted above. "SELinux is preventing mount (mount_t) "mount" to / (unlabeled_t)."
The problem appears to have gone away with this afternoon's updates. No error on system start up and a 'service fuse stop' followed by 'service fuse start' worked. These are the selinux packages I have after the update this afternoon (3/16/08 PM EDT). rpm -qa | grep selinux selinux-policy-targeted-3.0.8-93.fc8 selinux-policy-3.0.8-93.fc8 selinux-policy-devel-3.0.8-93.fc8 libselinux-2.0.43-1.fc8 libselinux-python-2.0.43-1.fc8
Hm - spurred on by comment #5, I realized that, while I had updated selinux-policy to 3.0.8-93.fc8, that hadn't pulled in the updated selinux-policy-targeted, which was still 3.0.8-87.fc8. Updated s-p-targeted to 3.0.8-93.fc8 does indeed seem to fix the problem here too. Closing bug as ERRATA - reopen if this is not fixed for you with 3.0.8-93.fc8 of the selinux policies.
*** Bug 437759 has been marked as a duplicate of this bug. ***
*** Bug 438223 has been marked as a duplicate of this bug. ***