Bug 483576 - SELinux is preventing automount (automount_t) "signal" mount_t.
SELinux is preventing automount (automount_t) "signal" mount_t.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-02 09:54 EST by Mike C
Modified: 2009-07-15 16:42 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-15 16:42:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mike C 2009-02-02 09:54:15 EST
Description of problem:
automount of a server windows share is setup with autofs. On access am getting avc popups.


Version-Release number of selected component (if applicable):
autofs-5.0.3-36.i386
selinux-policy-targeted-3.5.13-40.fc10.noarch

How reproducible: Presumably every time


Steps to Reproduce:
1. Add lines to /etc/auto.misc as
fdrive -fstype=cifs,rw,noperm,user=mike,password=xxxxxxxx,uid=mike,gid=mike://rentedfs1.york.ac.uk/phys
2. Access by doing say  "ls /misc/fdrive"
3. Get avc popup
  
Actual results:

Detailed Description: SELinux denied access requested by automount. It is not expected that this access is required by automount and this access may signal an intrusion attempt. It is also possible that the specific version or 
configuration of the application is causing it to require additional access. 

Allowing Access

You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. 

Additional Information

Source Context:  system_u:system_r:automount_t:s0
Target Context:  system_u:system_r:mount_t:s0
Target Objects:  None [ process ]
Source:  automount
Source Path:  /usr/sbin/automount
Port:  <Unknown>
Host:  gestalt.york.ac.uk
Source RPM Packages:  autofs-5.0.3-36
Target RPM Packages:  
Policy RPM:  selinux-policy-3.5.13-40.fc10
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall
Host Name:  gestalt.york.ac.uk
Platform:  Linux gestalt.york.ac.uk 2.6.27.12-170.2.5.fc10.i686 #1 SMP Wed Jan 21 02:09:37 EST 2009 i686 i686
Alert Count:  3
First Seen:  Mon 02 Feb 2009 01:59:49 PM GMT
Last Seen:  Mon 02 Feb 2009 02:15:41 PM GMT
Local ID:  c6948cb2-8ed6-484d-aa4c-f3d7f18e873e
Line Numbers:  
Raw Audit Messages :node=gestalt.york.ac.uk type=AVC msg=audit(1233584141.644:42): avc: denied { signal } for pid=12937 comm="automount" scontext=system_u:system_r:automount_t:s0 tcontext=system_u:system_r:mount_t:s0 tclass=process 

node=gestalt.york.ac.uk type=SYSCALL msg=audit(1233584141.644:42): arch=40000003 syscall=37 success=no exit=-13 a0=328a a1=f a2=5322b4 a3=b7bd0730 items=0 ppid=1 pid=12937 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="automount" exe="/usr/sbin/automount" subj=system_u:system_r:automount_t:s0 key=(null) 


Expected results: No avc denial


Additional info:Popup appears to be timed when the automounted directory is released rather than when it is mounted!
Comment 1 Daniel Walsh 2009-02-02 11:34:07 EST
Miroslav, this is already in Rawhide policy so it should be added to F9 and F10 policy.
Comment 2 Miroslav Grepl 2009-02-03 14:02:21 EST
Fixed in selinux-policy-3.5.13-42.fc10
Comment 3 Carl Roth 2009-06-07 15:20:32 EDT
I'm also getting a similar AVC with F11 (selinux-policy-targeted-3.6.12-39.fc11).  This system is auto-mounting nfs4 filesystems.

Summary:

SELinux is preventing automount (rpcd_t) "signal" automount_t.

Detailed Description:

SELinux denied access requested by automount. It is not expected that this
access is required by automount and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:rpcd_t:s0
Target Context                system_u:system_r:automount_t:s0
Target Objects                None [ process ]
Source                        automount
Source Path                   /usr/sbin/automount
Port                          <Unknown>
Host                          t60.ursus.net
Source RPM Packages           autofs-5.0.4-25
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-39.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     t60.ursus.net
Platform                      Linux t60.ursus.net 2.6.29.4-167.fc11.i686.PAE #1
                              SMP Wed May 27 17:28:22 EDT 2009 i686 i686
Alert Count                   46
First Seen                    Fri May  8 09:38:30 2009
Last Seen                     Sun Jun  7 12:15:04 2009
Local ID                      6c35d7f0-704f-4e4c-9f71-7754693c7dbe
Line Numbers                  

Raw Audit Messages            

node=t60.ursus.net type=AVC msg=audit(1244402104.275:34): avc:  denied  { signal } for  pid=3080 comm="automount" scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:automount_t:s0 tclass=process

node=t60.ursus.net type=SYSCALL msg=audit(1244402104.275:34): arch=40000003 syscall=33 success=yes exit=0 a0=24a9b38 a1=0 a2=c462ec a3=b48f57b0 items=0 ppid=2044 pid=3080 auid=4294967295 uid=0 gid=0 euid=494 suid=0 fsuid=494 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="automount" exe="/usr/sbin/automount" subj=system_u:system_r:automount_t:s0 key=(null)
Comment 4 Daniel Walsh 2009-06-08 08:41:01 EDT
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
	
Fixed in selinux-policy-3.6.12-47.fc11.noarch

Miroslav add this to F10 also.
Comment 5 Miroslav Grepl 2009-06-08 10:10:47 EDT
Ok, I will add it to selinux-policy-3.5.13-64.fc10
Comment 6 Mike C 2009-07-15 16:40:57 EDT
This no longer gives denials in my system F10 - so this bug can be closed.

Note You need to log in before you can comment on or make changes to this bug.