Bug 538667 - SELinux is preventing /bin/mount "mount" access on /.
Summary: SELinux is preventing /bin/mount "mount" access on /.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:1b14f54df3e...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-19 02:11 UTC by Wolfgang Rupprecht
Modified: 2009-12-02 04:38 UTC (History)
3 users (show)

Fixed In Version: 3.6.32-49.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-01 16:40:32 UTC


Attachments (Terms of Use)

Description Wolfgang Rupprecht 2009-11-19 02:11:52 UTC
Summary:

SELinux is preventing /bin/mount "mount" access on /.

Detailed Description:

SELinux denied access requested by mount. It is not expected that this access is
required by mount and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:mount_t:s0-s0:c0.c1023
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                / [ filesystem ]
Source                        mount
Source Path                   /bin/mount
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           util-linux-ng-2.16-10.2.fc12
Target RPM Packages           filesystem-2.4.30-2.fc12
Policy RPM                    selinux-policy-3.6.32-41.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.5-127.fc12.x86_64 #1
                              SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Wed 18 Nov 2009 06:06:50 PM PST
Last Seen                     Wed 18 Nov 2009 06:06:50 PM PST
Local ID                      19026b15-7436-42bc-bada-8a9ac7a5f8ef
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1258596410.486:40029): avc:  denied  { mount } for  pid=5704 comm="mount" name="/" dev=sdd1 ino=676 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem

node=(removed) type=SYSCALL msg=audit(1258596410.486:40029): arch=c000003e syscall=165 success=no exit=-13 a0=7f6b883d02d0 a1=7f6b883d02f0 a2=7f6b883d0310 a3=ffffffffc0ed0007 items=0 ppid=3493 pid=5704 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,catchall,mount,mount_t,unlabeled_t,filesystem,mount
audit2allow suggests:

#============= mount_t ==============
allow mount_t unlabeled_t:filesystem mount;

Comment 1 Wolfgang Rupprecht 2009-11-19 02:17:22 UTC
I saw this denial pop up a few seconds after plugging a usb flash memory into the computer.  From my /var/log/messsages, sure looks related.  Should usb flash still be mountable in the default location in /media with selinux active?

Nov 18 18:06:45 arbol kernel: usb 1-3: new high speed USB device using ehci_hcd and address 7
Nov 18 18:06:45 arbol kernel: usb 1-3: New USB device found, idVendor=090c, idProduct=6200
Nov 18 18:06:45 arbol kernel: usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Nov 18 18:06:45 arbol kernel: usb 1-3: Product: Generic USB2.0 card 
Nov 18 18:06:45 arbol kernel: usb 1-3: Manufacturer: Silicon Motion, Inc.
Nov 18 18:06:45 arbol kernel: usb 1-3: SerialNumber: 12345678901234567890
Nov 18 18:06:45 arbol kernel: usb 1-3: configuration #1 chosen from 1 choice
Nov 18 18:06:45 arbol kernel: Initializing USB Mass Storage driver...
Nov 18 18:06:45 arbol kernel: scsi8 : SCSI emulation for USB Mass Storage devices
Nov 18 18:06:45 arbol kernel: usbcore: registered new interface driver usb-storage
Nov 18 18:06:45 arbol kernel: USB Mass Storage support registered.
Nov 18 18:06:50 arbol kernel: scsi 8:0:0:0: Direct-Access     Generic  USB  SD Reader   1.00 PQ: 0 ANSI: 0 CCS
Nov 18 18:06:50 arbol kernel: sd 8:0:0:0: Attached scsi generic sg4 type 0
Nov 18 18:06:50 arbol kernel: sd 8:0:0:0: [sdd] 1984000 512-byte logical blocks: (1.01 GB/968 MiB)
Nov 18 18:06:50 arbol kernel: sd 8:0:0:0: [sdd] Write Protect is off
Nov 18 18:06:50 arbol kernel: sd 8:0:0:0: [sdd] Assuming drive cache: write through
Nov 18 18:06:50 arbol kernel: sd 8:0:0:0: [sdd] Assuming drive cache: write through
Nov 18 18:06:50 arbol kernel: sdd: sdd1
Nov 18 18:06:50 arbol kernel: sd 8:0:0:0: [sdd] Assuming drive cache: write through
Nov 18 18:06:50 arbol kernel: sd 8:0:0:0: [sdd] Attached SCSI removable disk
Nov 18 18:06:50 arbol kernel: squashfs: version 4.0 (2009/01/31) Phillip Lougher
Nov 18 18:06:52 arbol setroubleshoot: SELinux is preventing /bin/mount "mount" access on /. For complete SELinux messages. run sealert -l 19026b15-7436-42bc-bada-8a9ac7a5f8ef
Nov 18 18:06:53 arbol setroubleshoot: SELinux is preventing /bin/mount "mount" access on /. For complete SELinux messages. run sealert -l 19026b15-7436-42bc-bada-8a9ac7a5f8ef

Comment 2 Daniel Walsh 2009-11-19 14:44:27 UTC
DOes the usb stick have a strange file system on it?  Was the stick labeled on a different SELinux system?

Comment 3 Wolfgang Rupprecht 2009-11-19 16:37:56 UTC
It did indeed have something weird.  This was actually a micro-sdhc card in a usb stick adaptor.  That FS may have originated on a Motorola cell phone.

Gparted didn't know what to make of it, but I remember pulling data off of it in the past, so maybe it was just a raw fat-16/32 without a partition label.

Should that be an selinux denial though?  Is mounting random media on some insignificant leaf directory as long as no-suid/no-sgid/no-dev is enforced really a security issue?

Comment 4 Daniel Walsh 2009-11-19 18:58:53 UTC
Well unlabeled_t means that SELinux in this case does not know what to make of it.  I could allow mount to mount it, but no confined domains would be allowed to use it, since SELinux has no way of determining what it is.

Comment 5 Daniel Walsh 2009-11-19 19:08:31 UTC
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.32-48.fc12.noarch

Comment 6 Wolfgang Rupprecht 2009-11-19 19:19:03 UTC
Thanks.  It's not really a big deal for me.  I just reported it because it seemed like it might be selinux over-reacting.

Comment 7 Fedora Update System 2009-11-23 23:36:56 UTC
selinux-policy-3.6.32-49.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-49.fc12

Comment 8 Fedora Update System 2009-11-25 15:19:53 UTC
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12131

Comment 9 Fedora Update System 2009-12-02 04:31:30 UTC
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.