Description of problem: I understand what sealert is saying, and that I could set boolean to make it working, but in my (not so) humble opinion this should be allowed for hal (or whoever was calling {u,}mount per default. The only thing I was doing was inserting USB drive into USB port. When the hal automagically mounts such drive, it shouldn't be interrupted by SELinux complaining, right? restorecon on /media/.hal-mtab-lock hasn't changed anything. Summary: SELinux prevented umount from mounting on the file or directory "/media/.hal-mtab-lock" (type "mnt_t"). Podrobný popis: [SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena kvůli uvolněnému režimu.] SELinux prevented umount from mounting a filesystem on the file or directory "/media/.hal-mtab-lock" of type "mnt_t". By default SELinux limits the mounting of filesystems to only some files or directories (those with types that have the mountpoint attribute). The type "mnt_t" does not have this attribute. You can either relabel the file or directory or set the boolean "allow_mount_anyfile" to true to allow mounting on any file or directory. Povolení přístupu: Changing the "allow_mount_anyfile" boolean to true will allow this access: "setsebool -P allow_mount_anyfile=1." Fix Command: setsebool -P allow_mount_anyfile=1 Další informace: Kontext zdroje system_u:system_r:mount_t Kontext cíle system_u:object_r:mnt_t Objekty cíle /media/.hal-mtab-lock [ file ] Zdroj umount Cesta zdroje /bin/umount Port <Neznámé> Počítač viklef RPM balíčky zdroje util-linux-ng-2.13.1-6.fc9 RPM balíčky cíle RPM politiky selinux-policy-3.3.1-51.fc9 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Permissive Název zásuvného modulu allow_mount_anyfile Název počítače viklef Platforma Linux viklef 2.6.25.3-18.fc9.i686 #1 SMP Tue May 13 05:38:53 EDT 2008 i686 i686 Počet uporoznění 1 Poprvé viděno Ne 18. květen 2008, 20:20:24 CEST Naposledy viděno Ne 18. květen 2008, 20:20:24 CEST Místní ID 0af0006f-b78d-49c7-a5d7-4cd8da208432 Čísla řádků Původní zprávy auditu host=viklef type=AVC msg=audit(1211134824.832:62): avc: denied { write } for pid=18600 comm="umount" path="/media/.hal-mtab-lock" dev=dm-0 ino=5521718 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=file host=viklef type=SYSCALL msg=audit(1211134824.832:62): arch=40000003 syscall=11 success=yes exit=0 a0=804b14d a1=bfab88f0 a2=bfab8e6c a3=804b14d items=0 ppid=18599 pid=18600 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="umount" exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null) Version-Release number of selected component (if applicable): util-linux-ng-2.13.1-6.fc9.i386 selinux-policy-targeted-3.3.1-51.fc9.noarch
I guess that the /media/.hal-mtab-lock is HAL stuff.
I think this is a leaked file descriptor from hal. Hal opens the lock file for write and then fails to call fcntl(fd,F_SETFD, FD_CLOSEXEC) When the confined mount program runs, the SELinux kernel notices the open file descriptor, checks the domain to see if it has access, then closes it with the error. I believe the mount would have succeeded in enforcing mode.
Just now on F-9 I inserted a USB key, and it mounted fine. However, when I went to unmount the key I got the same issue as reported by Matej (except he saw it when mounting): Summary: SELinux prevented umount from mounting on the file or directory "/media/.hal-mtab-lock" (type "mnt_t"). Detailed Description: SELinux prevented umount from mounting a filesystem on the file or directory "/media/.hal-mtab-lock" of type "mnt_t". By default SELinux limits the mounting of filesystems to only some files or directories (those with types that have the mountpoint attribute). The type "mnt_t" does not have this attribute. You can either relabel the file or directory or set the boolean "allow_mount_anyfile" to true to allow mounting on any file or directory. Allowing Access: Changing the "allow_mount_anyfile" boolean to true will allow this access: "setsebool -P allow_mount_anyfile=1." Fix Command: setsebool -P allow_mount_anyfile=1 Additional Information: Source Context system_u:system_r:mount_t:s0 Target Context system_u:object_r:mnt_t:s0 Target Objects /media/.hal-mtab-lock [ file ] Source umount Source Path /bin/umount Port <Unknown> Host localhost.localdomain Source RPM Packages util-linux-ng-2.13.1-6.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-51.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_mount_anyfile Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25.3-18.fc9.x86_64 #1 SMP Tue May 13 04:54:47 EDT 2008 x86_64 x86_64 Alert Count 1 First Seen Tue 20 May 2008 09:47:35 AM BST Last Seen Tue 20 May 2008 09:47:35 AM BST Local ID 857cab36-8b0f-48f3-929e-447cf191a915 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1211273255.963:12): avc: denied { read write } for pid=3812 comm="umount" path="/media/.hal-mtab-lock" dev=dm-1 ino=98316 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1211273255.963:12): arch=c000003e syscall=59 success=yes exit=0 a0=403665 a1=7fffaea8f570 a2=7fffaea8fbf8 a3=7fffaea8ef20 items=0 ppid=3811 pid=3812 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="umount" exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null)
(In reply to comment #3) > I got the same issue as reported by Matej (except he saw it > when mounting): That's not correct -- it was unmounting as well.
Created attachment 306124 [details] Close lock file descriptor on exec Should also be applied to rawhide
*** Bug 447638 has been marked as a duplicate of this bug. ***
*** Bug 447967 has been marked as a duplicate of this bug. ***
Daniel Walsh's patch is not in the upstream repository yet. Is anyone assigned to this bug that can address it? Are we to manually recompile with this patch to see if the problem is resolved?
*** Bug 449873 has been marked as a duplicate of this bug. ***
*** Bug 449678 has been marked as a duplicate of this bug. ***
*** Bug 450165 has been marked as a duplicate of this bug. ***
*** Bug 450386 has been marked as a duplicate of this bug. ***
*** Bug 450055 has been marked as a duplicate of this bug. ***
I've got this one.
FWIW, I've been running hal with Dan's patch for a few weeks now and have not noticed any problems in my normal use. It does indeed quiet the selinux warnings.
hal-0.5.11-2.fc9 has been submitted as an update for Fedora 9
I've also sent this upstream for review. Todd - can you comment on the update in bohdi and give it some karma? Thanks.
hal-0.5.11-2.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update hal'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-5311
Committed upstream.
hal-0.5.11-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
It's working for me just fine, and has been for quite some time. Thanks for this.