Summary: SELinux is preventing /usr/libexec/openssh/gnome-ssh-askpass "connectto" access on @/tmp/.X11-unix/X0. Detailed Description: [ssh-askpass has a permissive type (mount_t). This access was not denied.] SELinux denied access requested by ssh-askpass. It is not expected that this access is required by ssh-askpass and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Trying to mount sshfs file system using autofs as described here: http://www.tjansson.dk/?p=84 Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:mount_t:s0 Target Context system_u:system_r:xserver_t:s0-s0:c0.c1023 Target Objects @/tmp/.X11-unix/X0 [ unix_stream_socket ] Source ssh-askpass Source Path /usr/libexec/openssh/gnome-ssh-askpass Port <Unknown> Host (removed) Source RPM Packages openssh-askpass-5.4p1-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-10.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux sup35.ccdom.wi.mit.edu 2.6.33.3-79.fc13.x86_64 #1 SMP Mon May 3 22:37:18 UTC 2010 x86_64 x86_64 Alert Count 3 First Seen Fri 14 May 2010 05:40:48 PM EDT Last Seen Fri 14 May 2010 05:47:29 PM EDT Local ID 997f253a-c7d1-4e4c-9997-56720495f5fe Line Numbers Raw Audit Messages node=sup35.ccdom.wi.mit.edu type=AVC msg=audit(1273873649.820:29429): avc: denied { connectto } for pid=3280 comm="ssh-askpass" path=002F746D702F2E5831312D756E69782F5830 scontext=unconfined_u:system_r:mount_t:s0 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=sup35.ccdom.wi.mit.edu type=SYSCALL msg=audit(1273873649.820:29429): arch=c000003e syscall=42 success=yes exit=128 a0=3 a1=7fffb8893700 a2=14 a3=7fffb8893703 items=0 ppid=3276 pid=3280 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ssh-askpass" exe="/usr/libexec/openssh/gnome-ssh-askpass" subj=unconfined_u:system_r:mount_t:s0 key=(null) Hash String generated from catchall,ssh-askpass,mount_t,xserver_t,unix_stream_socket,connectto audit2allow suggests: #============= mount_t ============== allow mount_t xserver_t:unix_stream_socket connectto;
How did you get this to happen? Looks like the mount command is executing some kind of helper app?
(In reply to comment #1) > How did you get this to happen? Looks like the mount command is executing some > kind of helper app? I was trying to mount sshfs file system using autofs as described here: http://www.tjansson.dk/?p=84 The error happened when I attempted to enter the subdirectory that is supposed to be mounted by fuse. Since it's over ssh, it's probably trying to run the helper app that asks for the ssh passphrase.
can you execute semanage permissive -a mount_t And get this to happen again. Then gather all of the AVC messages using ausearch -m avc -ts recent semanage permissive -d mount_t Will remove permissive bits.