Summary: SELinux is preventing /bin/mount "mount" access on /. Detailed Description: SELinux denied access requested by mount. It is not expected that this access is required by mount and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:mount_t:s0-s0:c0.c1023 Target Context system_u:object_r:unlabeled_t:s0 Target Objects / [ filesystem ] Source mount Source Path /bin/mount Port <Unknown> Host (removed) Source RPM Packages util-linux-ng-2.16-10.2.fc12 Target RPM Packages filesystem-2.4.30-2.fc12 Policy RPM selinux-policy-3.6.32-41.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64 Alert Count 2 First Seen Wed 18 Nov 2009 06:06:50 PM PST Last Seen Wed 18 Nov 2009 06:06:50 PM PST Local ID 19026b15-7436-42bc-bada-8a9ac7a5f8ef Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1258596410.486:40029): avc: denied { mount } for pid=5704 comm="mount" name="/" dev=sdd1 ino=676 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem node=(removed) type=SYSCALL msg=audit(1258596410.486:40029): arch=c000003e syscall=165 success=no exit=-13 a0=7f6b883d02d0 a1=7f6b883d02f0 a2=7f6b883d0310 a3=ffffffffc0ed0007 items=0 ppid=3493 pid=5704 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-41.fc12,catchall,mount,mount_t,unlabeled_t,filesystem,mount audit2allow suggests: #============= mount_t ============== allow mount_t unlabeled_t:filesystem mount;
I saw this denial pop up a few seconds after plugging a usb flash memory into the computer. From my /var/log/messsages, sure looks related. Should usb flash still be mountable in the default location in /media with selinux active? Nov 18 18:06:45 arbol kernel: usb 1-3: new high speed USB device using ehci_hcd and address 7 Nov 18 18:06:45 arbol kernel: usb 1-3: New USB device found, idVendor=090c, idProduct=6200 Nov 18 18:06:45 arbol kernel: usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 Nov 18 18:06:45 arbol kernel: usb 1-3: Product: Generic USB2.0 card Nov 18 18:06:45 arbol kernel: usb 1-3: Manufacturer: Silicon Motion, Inc. Nov 18 18:06:45 arbol kernel: usb 1-3: SerialNumber: 12345678901234567890 Nov 18 18:06:45 arbol kernel: usb 1-3: configuration #1 chosen from 1 choice Nov 18 18:06:45 arbol kernel: Initializing USB Mass Storage driver... Nov 18 18:06:45 arbol kernel: scsi8 : SCSI emulation for USB Mass Storage devices Nov 18 18:06:45 arbol kernel: usbcore: registered new interface driver usb-storage Nov 18 18:06:45 arbol kernel: USB Mass Storage support registered. Nov 18 18:06:50 arbol kernel: scsi 8:0:0:0: Direct-Access Generic USB SD Reader 1.00 PQ: 0 ANSI: 0 CCS Nov 18 18:06:50 arbol kernel: sd 8:0:0:0: Attached scsi generic sg4 type 0 Nov 18 18:06:50 arbol kernel: sd 8:0:0:0: [sdd] 1984000 512-byte logical blocks: (1.01 GB/968 MiB) Nov 18 18:06:50 arbol kernel: sd 8:0:0:0: [sdd] Write Protect is off Nov 18 18:06:50 arbol kernel: sd 8:0:0:0: [sdd] Assuming drive cache: write through Nov 18 18:06:50 arbol kernel: sd 8:0:0:0: [sdd] Assuming drive cache: write through Nov 18 18:06:50 arbol kernel: sdd: sdd1 Nov 18 18:06:50 arbol kernel: sd 8:0:0:0: [sdd] Assuming drive cache: write through Nov 18 18:06:50 arbol kernel: sd 8:0:0:0: [sdd] Attached SCSI removable disk Nov 18 18:06:50 arbol kernel: squashfs: version 4.0 (2009/01/31) Phillip Lougher Nov 18 18:06:52 arbol setroubleshoot: SELinux is preventing /bin/mount "mount" access on /. For complete SELinux messages. run sealert -l 19026b15-7436-42bc-bada-8a9ac7a5f8ef Nov 18 18:06:53 arbol setroubleshoot: SELinux is preventing /bin/mount "mount" access on /. For complete SELinux messages. run sealert -l 19026b15-7436-42bc-bada-8a9ac7a5f8ef
DOes the usb stick have a strange file system on it? Was the stick labeled on a different SELinux system?
It did indeed have something weird. This was actually a micro-sdhc card in a usb stick adaptor. That FS may have originated on a Motorola cell phone. Gparted didn't know what to make of it, but I remember pulling data off of it in the past, so maybe it was just a raw fat-16/32 without a partition label. Should that be an selinux denial though? Is mounting random media on some insignificant leaf directory as long as no-suid/no-sgid/no-dev is enforced really a security issue?
Well unlabeled_t means that SELinux in this case does not know what to make of it. I could allow mount to mount it, but no confined domains would be allowed to use it, since SELinux has no way of determining what it is.
You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.32-48.fc12.noarch
Thanks. It's not really a big deal for me. I just reported it because it seemed like it might be selinux over-reacting.
selinux-policy-3.6.32-49.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-49.fc12
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12131
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.