Bug 447195 - SELinux prevented umount from mounting on the file or directory "/media/.hal-mtab-lock" (type "mnt_t").
Summary: SELinux prevented umount from mounting on the file or directory "/media/.hal-...
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: hal
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: David Zeuthen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
: 447638 447967 449678 449873 450055 450165 450386 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-18 18:52 UTC by Matěj Cepl
Modified: 2018-04-11 13:38 UTC (History)
20 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2008-06-14 04:15:50 UTC


Attachments (Terms of Use)
Close lock file descriptor on exec (439 bytes, patch)
2008-05-20 14:12 UTC, Daniel Walsh
no flags Details | Diff

Description Matěj Cepl 2008-05-18 18:52:06 UTC
Description of problem:

I understand what sealert is saying, and that I could set boolean to make it
working, but in my (not so) humble opinion this should be allowed for hal (or
whoever was calling {u,}mount per default. The only thing I was doing was
inserting USB drive into USB port. When the hal automagically mounts such drive,
it shouldn't be interrupted by SELinux complaining, right?

restorecon on /media/.hal-mtab-lock hasn't changed anything.

Summary:

SELinux prevented umount from mounting on the file or directory
"/media/.hal-mtab-lock" (type "mnt_t").

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux prevented umount from mounting a filesystem on the file or directory
"/media/.hal-mtab-lock" of type "mnt_t". By default SELinux limits the mounting
of filesystems to only some files or directories (those with types that have the
mountpoint attribute). The type "mnt_t" does not have this attribute. You can
either relabel the file or directory or set the boolean "allow_mount_anyfile" to
true to allow mounting on any file or directory.

Povolení přístupu:

Changing the "allow_mount_anyfile" boolean to true will allow this access:
"setsebool -P allow_mount_anyfile=1."

Fix Command:

setsebool -P allow_mount_anyfile=1

Další informace:

Kontext zdroje                system_u:system_r:mount_t
Kontext cíle                 system_u:object_r:mnt_t
Objekty cíle                 /media/.hal-mtab-lock [ file ]
Zdroj                         umount
Cesta zdroje                  /bin/umount
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          util-linux-ng-2.13.1-6.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-51.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     allow_mount_anyfile
Název počítače            viklef
Platforma                     Linux viklef 2.6.25.3-18.fc9.i686 #1 SMP Tue May
                              13 05:38:53 EDT 2008 i686 i686
Počet uporoznění           1
Poprvé viděno               Ne 18. květen 2008, 20:20:24 CEST
Naposledy viděno             Ne 18. květen 2008, 20:20:24 CEST
Místní ID                   0af0006f-b78d-49c7-a5d7-4cd8da208432
Čísla řádků              

Původní zprávy auditu      

host=viklef type=AVC msg=audit(1211134824.832:62): avc:  denied  { write } for 
pid=18600 comm="umount" path="/media/.hal-mtab-lock" dev=dm-0 ino=5521718
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mnt_t:s0
tclass=file

host=viklef type=SYSCALL msg=audit(1211134824.832:62): arch=40000003 syscall=11
success=yes exit=0 a0=804b14d a1=bfab88f0 a2=bfab8e6c a3=804b14d items=0
ppid=18599 pid=18600 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="umount" exe="/bin/umount"
subj=system_u:system_r:mount_t:s0 key=(null)

Version-Release number of selected component (if applicable):
util-linux-ng-2.13.1-6.fc9.i386
selinux-policy-targeted-3.3.1-51.fc9.noarch

Comment 1 Karel Zak 2008-05-19 09:23:35 UTC
I guess that the /media/.hal-mtab-lock is HAL stuff.

Comment 2 Daniel Walsh 2008-05-20 00:36:52 UTC
I think this is a leaked file descriptor from hal.  Hal opens the lock file for
write and then fails to call fcntl(fd,F_SETFD, FD_CLOSEXEC)

When the confined mount program runs, the SELinux kernel notices the open file
descriptor, checks the domain to see if it has access, then closes it with the
error.

I believe the mount would have succeeded in enforcing mode.

Comment 3 Jonathan Underwood 2008-05-20 08:52:24 UTC
Just now on F-9 I inserted a USB key, and it mounted fine. However, when I went
to unmount the key I got the same issue as reported by Matej (except he saw it
when mounting):


Summary:

SELinux prevented umount from mounting on the file or directory
"/media/.hal-mtab-lock" (type "mnt_t").

Detailed Description:

SELinux prevented umount from mounting a filesystem on the file or directory
"/media/.hal-mtab-lock" of type "mnt_t". By default SELinux limits the mounting
of filesystems to only some files or directories (those with types that have the
mountpoint attribute). The type "mnt_t" does not have this attribute. You can
either relabel the file or directory or set the boolean "allow_mount_anyfile" to
true to allow mounting on any file or directory.

Allowing Access:

Changing the "allow_mount_anyfile" boolean to true will allow this access:
"setsebool -P allow_mount_anyfile=1."

Fix Command:

setsebool -P allow_mount_anyfile=1

Additional Information:

Source Context                system_u:system_r:mount_t:s0
Target Context                system_u:object_r:mnt_t:s0
Target Objects                /media/.hal-mtab-lock [ file ]
Source                        umount
Source Path                   /bin/umount
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           util-linux-ng-2.13.1-6.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-51.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_mount_anyfile
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.25.3-18.fc9.x86_64
                              #1 SMP Tue May 13 04:54:47 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 20 May 2008 09:47:35 AM BST
Last Seen                     Tue 20 May 2008 09:47:35 AM BST
Local ID                      857cab36-8b0f-48f3-929e-447cf191a915
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1211273255.963:12): avc:  denied 
{ read write } for  pid=3812 comm="umount" path="/media/.hal-mtab-lock" dev=dm-1
ino=98316 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1211273255.963:12):
arch=c000003e syscall=59 success=yes exit=0 a0=403665 a1=7fffaea8f570
a2=7fffaea8fbf8 a3=7fffaea8ef20 items=0 ppid=3811 pid=3812 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="umount" exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null)




Comment 4 Matěj Cepl 2008-05-20 13:33:17 UTC
(In reply to comment #3)
> I got the same issue as reported by Matej (except he saw it
> when mounting):

That's not correct -- it was unmounting as well.

Comment 5 Daniel Walsh 2008-05-20 14:12:27 UTC
Created attachment 306124 [details]
Close lock file descriptor on exec

Should also be applied to rawhide

Comment 6 Martin Naď 2008-05-20 22:10:31 UTC
*** Bug 447638 has been marked as a duplicate of this bug. ***

Comment 7 Daniel Walsh 2008-05-23 16:04:03 UTC
*** Bug 447967 has been marked as a duplicate of this bug. ***

Comment 8 Eric Mertens 2008-05-30 22:29:04 UTC
Daniel Walsh's patch is not in the upstream repository yet. Is anyone assigned
to this bug that can address it? Are we to manually recompile with this patch to
see if the problem is resolved?

Comment 9 Daniel Walsh 2008-06-04 15:29:21 UTC
*** Bug 449873 has been marked as a duplicate of this bug. ***

Comment 10 Daniel Walsh 2008-06-04 17:50:22 UTC
*** Bug 449678 has been marked as a duplicate of this bug. ***

Comment 11 Daniel Walsh 2008-06-05 18:25:00 UTC
*** Bug 450165 has been marked as a duplicate of this bug. ***

Comment 12 Daniel Walsh 2008-06-10 20:25:24 UTC
*** Bug 450386 has been marked as a duplicate of this bug. ***

Comment 13 Karel Zak 2008-06-12 13:35:59 UTC
*** Bug 450055 has been marked as a duplicate of this bug. ***

Comment 14 Richard Hughes 2008-06-12 14:14:23 UTC
I've got this one.

Comment 15 Todd Zullinger 2008-06-12 15:33:10 UTC
FWIW, I've been running hal with Dan's patch for a few weeks now and have not
noticed any problems in my normal use.  It does indeed quiet the selinux warnings.

Comment 16 Fedora Update System 2008-06-12 16:04:36 UTC
hal-0.5.11-2.fc9 has been submitted as an update for Fedora 9

Comment 17 Richard Hughes 2008-06-12 16:14:08 UTC
I've also sent this upstream for review. Todd - can you comment on the update in
bohdi and give it some karma? Thanks.

Comment 18 Fedora Update System 2008-06-13 02:28:08 UTC
hal-0.5.11-2.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update hal'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-5311

Comment 19 Richard Hughes 2008-06-13 07:16:52 UTC
Committed upstream.

Comment 20 Fedora Update System 2008-06-14 04:15:46 UTC
hal-0.5.11-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2008-07-26 06:03:36 UTC
hal-0.5.11-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Andrig Miller 2008-07-28 20:57:24 UTC
It's working for me just fine, and has been for quite some time.  Thanks for this.


Note You need to log in before you can comment on or make changes to this bug.