Bug 500943 - SELinux is preventing mount (mount_t) "read" sysfs_t
SELinux is preventing mount (mount_t) "read" sysfs_t
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: 517000
  Show dependency treegraph
 
Reported: 2009-05-14 23:18 EDT by Ralf Corsepius
Modified: 2010-05-07 10:04 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-01-20 04:28:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ralf Corsepius 2009-05-14 23:18:30 EDT
Description of problem:

Whenever I plug-in a wired ethernet to a system running NetworkManager, I am observing a series of SELinux alerts similar to this:

May 15 05:02:09 columbo setroubleshoot: SELinux is preventing mount (mount_t) "read" sysfs_t. For complete SELinux messages. run sealert -l 5b990766-fdec-44bb-9960-1cb30c15597e
May 15 05:02:10 columbo setroubleshoot: SELinux is preventing mount (mount_t) "read" sysfs_t. For complete SELinux messages. run sealert -l 3f7edc52-ce3e-4681-a8ec-769dfdabff9b
May 15 05:02:11 columbo setroubleshoot: SELinux is preventing mount (mount_t) "read" sysfs_t. For complete SELinux messages. run sealert -l 7b00c48a-9845-4786-aaa2-24f99dab8d44
May 15 05:02:12 columbo setroubleshoot: SELinux is preventing mount (mount_t) "read" sysfs_t. For complete SELinux messages. run sealert -l abab990d-1af2-4c44-9436-ec4e74a14a64
May 15 05:02:12 columbo setroubleshoot: SELinux is preventing mount (mount_t) "read" sysfs_t. For complete SELinux messages. run sealert -l 3f7edc52-ce3e-4681-a8ec-769dfdabff9b
May 15 05:02:13 columbo setroubleshoot: SELinux is preventing mount (mount_t) "read" sysfs_t. For complete SELinux messages. run sealert -l 7b00c48a-9845-4786-aaa2-24f99dab8d44

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.6.12-34.fc11.noarch
selinux-policy-3.6.12-34.fc11.noarch

How reproducible:
Always, on one machine.
On a second (different) machine with a very similar setup, this doesn't happen.

Steps to Reproduce:
1. Boot machine, login
2. unplug ethernet cable, wait for a couple of minutes
3. plug in ethernet cable
  
Actual results:
Sealerts pop up.

Expected results:
No alerts.

Additional info:

* All sealerts contain something similar to this, except that individual sealerts refer to other "dm-X" (dm-0 .. dm-3):
...
Raw Audit Messages            

node=columbo type=AVC msg=audit(1242356523.274:203): avc:  denied  { read } for  pid=1252 comm="mount" name="dm-3" dev=sysfs ino=7197 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file

node=columbo type=SYSCALL msg=audit(1242356523.274:203): arch=40000003 syscall=5 success=no exit=-13 a0=bf95fa0c a1=98800 a2=8e1100 a3=bf95fa0c items=0 ppid=1230 pid=1252 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)
...

Unfortunately this leaves me rather clueless.

* touch .autorelabel + reboot does not help.
Comment 1 Bug Zapper 2009-06-09 11:50:52 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 2 Alexander Holler 2009-08-08 12:29:06 EDT
I'm getting the same audit messages with F11.
Comment 3 Alexander Holler 2009-08-08 12:35:54 EDT
Output from sealert:

Summary:

SELinux is preventing mount (mount_t) "read" sysfs_t.

Detailed Description:

...

Additional Information:

Source Context                system_u:system_r:mount_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                /sys/block/dm-10 [ lnk_file ]
Source                        mount
Source Path                   /bin/mount
Port                          <Unknown>
Host                          krabat.ahsoftware
Source RPM Packages           util-linux-ng-2.14.2-9.fc11
Target RPM Packages
Policy RPM                    selinux-policy-3.6.12-69.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     krabat.ahsoftware
Platform                      Linux krabat.ahsoftware
                              2.6.29.6-217.2.3.fc11.x86_64 #1 SMP Wed Jul 29
                              16:02:42 EDT 2009 x86_64 x86_64
Alert Count                   20
First Seen                    Mon Jul 27 11:18:25 2009
Last Seen                     Sat Aug  8 18:21:07 2009
Local ID                      4e8e103c-8546-4172-b63b-bc6efdabb21e
Line Numbers

Raw Audit Messages

node=krabat.ahsoftware type=AVC msg=audit(1249748467.276:116): avc:  denied  { read } for  pid=2958 comm="mount" name="dm-10" dev=sysfs ino=7859 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file

node=krabat.ahsoftware type=SYSCALL msg=audit(1249748467.276:116): arch=c000003e syscall=2 success=no exit=-13 a0=7fff4dd5ae00 a1=90800 a2=7fff4dd5ae17 a3=fffffffb items=0 ppid=2956 pid=2958 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
Comment 4 Daniel Walsh 2009-08-10 10:06:50 EDT
Fixed in selinux-policy-3.6.26-9.fc12.noarch
Comment 5 Ralf Corsepius 2009-08-10 10:30:57 EDT
Reopening, this bug was filed against FC11. Fixed RAWHIDE is not a solution
Comment 6 Daniel Walsh 2009-08-10 13:02:49 EDT
Miroslav add

dev_read_sysfs(mount_t)
Comment 7 Miroslav Grepl 2009-08-11 06:31:12 EDT
Fixed in selinux-policy-3.6.12-75.fc11
Comment 8 Miroslav Grepl 2010-01-20 04:28:55 EST
Closing all bugs that have been in modified for over a month.  Please reopen if
the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.