Bug 466778 - avc: denied write comm="umount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
avc: denied write comm="umount" scontext=system_u:system_r:mount_t:s0 tcontex...
Product: Fedora
Classification: Fedora
Component: autofs (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Moyer
Fedora Extras Quality Assurance
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2008-10-13 11:40 EDT by Orion Poplawski
Modified: 2008-10-15 16:14 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-10-15 16:14:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2008-10-13 11:40:05 EDT
Seeing lots of:

Oct 13 09:31:00 makani kernel: type=1400 audit(1223911860.885:106): avc:  denied  { write }for  pid=19680 comm="umount" path=2F7661722F6366656E67696E652F6F7574707574732F63665F6D616B616E695F636F72615F6E7772615F636F6D5F323030382D31302D31322D2D31352D30302D30325F31323233383435323032202864656C6574656429 dev=sda6 ino=63815 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

Version-Release number of selected component (if applicable):
Comment 1 Ian Kent 2008-10-14 08:25:13 EDT
Isn't this the same as bug 390591?
Comment 2 Daniel Walsh 2008-10-15 10:22:48 EDT
Certainly looks like a leaked file descriptor.  Although there is a log file with a space in the name?

ausearch -i -M avc

will translate the path above.
Comment 3 Orion Poplawski 2008-10-15 12:03:09 EDT
ausearch -i -m avc -if /var/log/messages | grep umount

type=AVC msg=audit(10/13/2008 08:03:17.848:98) : avc:  denied  { write } for  pid=14546 comm=umount path=/var/cfengine/outputs/cf_makani_cora_nwra_com_2008-10-12--15-00-02_1223845202 (deleted) dev=sda6 ino=63815 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

Okay, I think I know what's going on.  autofs has been crashing and I have configured cfengine to restart autofs if it died.  So the leaked mount descriptors are going to the cfengine log.  But it still seems a little different than 390591 since that is a "read" denial.  This also may be more a cfengine issue than autofs.
Comment 4 Daniel Walsh 2008-10-15 16:14:25 EDT
Yes the problem is cfengine is leaking the file descriptor to autofs which is leaking to mount.

Fix cfengine or add a local customization.

Note You need to log in before you can comment on or make changes to this bug.