Bug 448240 - SELinix denied access to /bin/mount
SELinix denied access to /bin/mount
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: ypbind (Show other bugs)
9
i386 Linux
low Severity low
: ---
: ---
Assigned To: Vitezslav Crhonek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-24 17:11 EDT by Eugene Kanter
Modified: 2008-06-28 18:16 EDT (History)
3 users (show)

See Also:
Fixed In Version: 1.20.4-6.fc9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-28 18:16:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eugene Kanter 2008-05-24 17:11:58 EDT
Description of problem:

This is the first alert on updated Fedora 9 system, was doing rsync network
transfer for a while, nfs server is on and an one client mounts an exported folder.

Summary:

SELinux is preventing mount (mount_t) "read write" to socket (automount_t).

Detailed Description:

SELinux denied access requested by mount. It is not expected that this access is
required by mount and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:mount_t:s0
Target Context                system_u:system_r:automount_t:s0
Target Objects                socket [ tcp_socket ]
Source                        mount
Source Path                   /bin/mount
Port                          <Unknown>
Host                          viao590
Source RPM Packages           util-linux-ng-2.13.1-6.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-51.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     viao590
Platform                      Linux viao590 2.6.25.3-18.fc9.i686 #1 SMP Tue May
                              13 05:38:53 EDT 2008 i686 i686
Alert Count                   52
First Seen                    Sat 24 May 2008 12:25:17 PM EDT
Last Seen                     Sat 24 May 2008 04:58:03 PM EDT
Local ID                      183b3351-3aed-41f2-b916-c75f7548bac8
Line Numbers                  

Raw Audit Messages            

host=viao590 type=AVC msg=audit(1211662683.557:134): avc:  denied  { read write
} for  pid=15123 comm="mount" path="socket:[258766]" dev=sockfs ino=258766
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:automount_t:s0
tclass=tcp_socket

host=viao590 type=SYSCALL msg=audit(1211662683.557:134): arch=40000003
syscall=11 success=yes exit=0 a0=b7b7f9dd a1=b7b7f940 a2=b9bb41e0 a3=1494
items=0 ppid=2000 pid=15123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount"
subj=system_u:system_r:mount_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-05-27 12:30:45 EDT
Are you using ldap for authentication?

Comment 2 Eugene Kanter 2008-05-28 16:40:02 EDT
no, NIS, which may or may not be configured at the time the error happened.
Comment 3 Daniel Walsh 2008-05-29 08:36:36 EDT
getsebool allow_ypbind

If not set turn it on

setsebool -P allow_ypbind 1
Comment 4 Eugene Kanter 2008-06-04 14:55:28 EDT
I do not see this particular error anymore even though I have not used any
setsebool commands.

I observe some anomalies with ypbind. When I bring NIS server down sometimes
ypbind service returns [OK] during system startup. This results in login trying
to connect to yp and timing out after 60 seconds making console login 100%
impossible. This behavior is not always reproducible.

When NIS is down and system started up successfully I see messages from SELinux
denying access to yp subsystem from login, sendmail.sendmail and gdm-simple-slave.

Do I really have to run

setsebool -P allow_ypbind 1

by hand? Isn't it a system-config-authentication responsibility?
Comment 5 Daniel Walsh 2008-06-05 15:15:28 EDT
Theoretically yes.  You can open a bugzilla on that.

If you run the command, you should be all set.
Comment 6 Tomas Mraz 2008-06-06 08:35:28 EDT
'setsebool -P allow_ypbind 1' was dropped from authconfig because this command
should be and is called by the /etc/init.d/ypbind init script. The init script
disables the boolean on shutdown so it is to be expected that there will be
SELinux denials from the services doing nis lookups.

Either ypbind initscript should not disable the boolean on shutdown or perhaps
the policy should be modified to switch the rules to dontaudit when the boolean
is off instead of disabling the rules completely.
Comment 7 Fedora Update System 2008-06-10 10:10:39 EDT
ypbind-1.20.4-6.fc9 has been submitted as an update for Fedora 9
Comment 8 Daniel Walsh 2008-06-10 14:12:39 EDT
The problem is that libc or other parts of the system know the system is using
NIS before the ypbind init script starts.  So if the boolean is not set
permanantly, the system will generate AVC messages before the script is executed.
Comment 9 Tomas Mraz 2008-06-10 15:08:41 EDT
So do you think that enabling the boolean (with -P) in s-c-a should be readded
back to the authconfig? I have no problem with this.
Comment 10 Daniel Walsh 2008-06-10 16:41:20 EDT
Yes that is fine.

Comment 11 Fedora Update System 2008-06-11 00:35:10 EDT
ypbind-1.20.4-6.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update ypbind'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-5190
Comment 12 Vitezslav Crhonek 2008-06-11 04:32:41 EDT
I removed allow_ypbind SELinux boolean disabling on service shutdown in
ypbind-1.20.4-6.fc9. So this will not fix this issue, as I see in comment #8.

It's possible to enable the boolean (with -P) during %post in ypbind, but what
if ypbind is installed before SELinux?

Otherwise it should be re-enabled in authconfig.
Comment 13 Tomas Mraz 2008-06-11 06:38:42 EDT
(In reply to comment #12)
> I removed allow_ypbind SELinux boolean disabling on service shutdown in
> ypbind-1.20.4-6.fc9. So this will not fix this issue, as I see in comment #8.
Yes, it will not fix it completely but I think it is OK that you removed it anyway.

> It's possible to enable the boolean (with -P) during %post in ypbind, but what
> if ypbind is installed before SELinux?

I don't think that adding that to %post is appropriate, I'll fix authconfig instead.
Comment 14 Fedora Update System 2008-06-28 18:16:14 EDT
ypbind-1.20.4-6.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.