This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 444239 - SELinux denys access to disk witout AVC
SELinux denys access to disk witout AVC
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-25 18:31 EDT by Flóki Pálsson
Modified: 2008-05-06 18:39 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-06 17:22:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
fdisk and ll fore /media (3.31 KB, text/plain)
2008-04-25 18:31 EDT, Flóki Pálsson
no flags Details
mount problem (24.88 KB, image/png)
2008-05-06 18:39 EDT, Flóki Pálsson
no flags Details

  None (edit)
Description Flóki Pálsson 2008-04-25 18:31:42 EDT
Description of problem:
SELinux deny access to disk without AVC.
There are thee disks. See in attachment.  
FC9 is instaled to 200 gb disk sdb.
On  disk sda ( 120gb ) there are to partitions ( _tonlist and _ymislegt) which
are created with older version off Fedora ( FC7).  FC8 has no problem to show
and read them.In FC9 preview with all updates then it is only possible to access
the partitions on sda in permissive mod. 
After reebooting the partitions are viseble in Nautilus.  When clicking on them
in enforcing mod then nothing happens. There is no AVC warning. 
When SELinux is changed to permissive mode then it is possible to accesses the
files on disk sda ( _tonlist and _ymislegt).


Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-35.fc9.noarch


How reproducible:
Always

Steps to Reproduce:
1.
Install FC9 perview, update all 
2.
In Nautilus as user click on visible partitions on sda ( _tonlist and _ymislegt)
Nothing happens. No AVC warnig. 
3.
Cannge SElinux to permissive mod.
In Nautilus click on visible partitions on sda ( _tonlist and _ymislegt)
Then Nautius shows content in sda  ( _tonlist and _ymislegt).

(Same effect is possible if logout user, log in as root, repeat 2., log root oyt
and user in. then user can see sda as root could ) 
  
Actual results:
In 2. nothing happes

Expected results:
in 2. then as in FC8 FC9 should show content on separate disk.


Additional info:
See bug 442823 also. 
FC9 has always behaved in this way. I am pretty sure. 
In SELinux there is no rule for "system_u:object_r:default_t:s0" files on disk
sda ( _tonlist )
Comment 1 Flóki Pálsson 2008-04-25 18:31:42 EDT
Created attachment 303831 [details]
fdisk and ll fore /media
Comment 2 Daniel Walsh 2008-04-28 08:52:32 EDT
In a terminal can you execute 

id -Z
Comment 3 Flóki Pálsson 2008-05-03 16:43:01 EDT
I was on vacation.

Yes.
But still no AVC and access to disk


[floki@localhost ~]$ id -Z 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[floki@localhost ~]$ 


[root@localhost ~]# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@localhost ~]# 
Comment 4 Daniel Walsh 2008-05-05 14:23:31 EDT
semodule -DB

will turn off all dontaudit rules, see if AVC's are generated then.

semodule -B 

will turn them back on.
Comment 5 Flóki Pálsson 2008-05-05 17:01:14 EDT
After 
[root@localhost ~]# semodule -DB
then 
clik on /boot in places in Nautilus 
( /dev/sdb1               194442     19592    164811  11% /boot )
 there is no AVC and no access

PS

Disk /dev/sda: 120.0 GB is now corrupt

Comment 6 Josef Kubin 2008-05-06 01:43:07 EDT
Hard to say, it looks as gremlins or ghosts in your box ...
Is it somehow reliably reproducible?

ie:
1) make partition(s) and format your 120GB hard drive or `# fsck.ext3 /dev/sdb`
2) mount it
3) # setenforce 0; setenforce 1;
4) ... (# semodule -DB; semodule -B)
5) a corruption of HDD has occured
6) --> 1)

Thank you!
Comment 7 Daniel Walsh 2008-05-06 17:22:09 EDT
I would say you are having far more problems then just selinux.  semodule -DB is
just rebuilding and reloading policy, it should not corrupt the disk.  I think
your disk is going haywire.
Comment 8 Flóki Pálsson 2008-05-06 18:20:09 EDT
Yes I believe that   SELinux is not related to corruption of HDD.


Now I can see 120gb disk in FC9 Nautilus in collume Places. 
In FC8 it is possible to access 120 gb disk.
How the disk is readble agin I dot know. ( I mounted  something in FC8 )

In FC9 it is not possible to access the disk.

3) # setenforce 0; setenforce 1;
4) ... (# semodule -DB; semodule -B)
5) a corruption of HDD has occured     - corruption does not happen
6) --> 1)

The corruption ( ?) off the disk is not related to SElinux.

Now when in permissive mode it is possible to access (_tonlist ( on 120gb ))

Stepps 3 and 4 give not access to  disk (_tonlist) or AVC. 
Comment 9 Flóki Pálsson 2008-05-06 18:38:58 EDT
Se attachment off error when it was not possible to access disk.
 
Comment 10 Flóki Pálsson 2008-05-06 18:39:59 EDT
Created attachment 304694 [details]
mount problem

Note You need to log in before you can comment on or make changes to this bug.