Summary: SELinux is preventing /bin/mount "read" access to device sde1. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied mount "read" access to device sde1. sde1 is mislabeled, this device has the default label of the /dev directory, which should not happen. All Character and/or Block Devices should have a label. You can attempt to change the label of the file using restorecon -v 'sde1'. If this device remains labeled device_t, then this is a bug in SELinux policy. Please file a bg report. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for sde1, you can use chcon -t SIMILAR_TYPE 'sde1', If this fixes the problem, you can make this permanent by executing semanage fcontext -a -t SIMILAR_TYPE 'sde1' If the restorecon changes the context, this indicates that the application that created the device, created it without using SELinux APIs. If you can figure out which application created the device, please file a bug report against this application. Allowing Access: Attempt restorecon -v 'sde1' or chcon -t SIMILAR_TYPE 'sde1' Additional Information: Source Context system_u:system_r:mount_t:s0 Target Context system_u:object_r:device_t:s0 Target Objects sde1 [ blk_file ] Source mount Source Path /bin/mount Port <Unknown> Host (removed) Source RPM Packages util-linux-ng-2.17.2-5.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-23.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name device Host Name (removed) Platform Linux (removed) 2.6.33.5-124.fc13.x86_64 #1 SMP Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64 Alert Count 8 First Seen Do 17 Jun 2010 20:52:06 CEST Last Seen Fr 18 Jun 2010 20:13:33 CEST Local ID f1b0a123-0a14-4ec6-b04b-9eacc4e14866 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1276884813.351:58911): avc: denied { read } for pid=1086 comm="mount" name="sde1" dev=devtmpfs ino=16049012 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file node=(removed) type=AVC msg=audit(1276884813.351:58911): avc: denied { open } for pid=1086 comm="mount" name="sde1" dev=devtmpfs ino=16049012 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file node=(removed) type=SYSCALL msg=audit(1276884813.351:58911): arch=c000003e syscall=2 success=yes exit=4 a0=7fe1893abd20 a1=0 a2=7fff74b939f0 a3=a items=0 ppid=1074 pid=1086 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) Hash String generated from device,mount,mount_t,device_t,blk_file,read audit2allow suggests: #============= mount_t ============== allow mount_t device_t:blk_file { read open };
What created /dev/sde1? This is mislabeled. If this was created via udev it should have had the correct label put on it.
Hm. That's my external harddisk via FireWire. It's plugged in all the time. Hence I guess it's udev creating the device. Note that I suspended and I think the harddisk gets removed and reattached on resume. Maybe that's a problem.
If you run restorecon /dev/sde1 and unplag your hard disk and reattach it, does the label stay correct? ls -lZ /dev/sde1 If you leave it attached and suspend and resume it what does the label say? If you detatch the disk does the device disappear? If so when it comes back is it labeled correctly fixed_disk_device_t?
Before suspend: muelli@bigbox ~ $ ls -lZ /dev/sde1 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sde1 muelli@bigbox ~ $ muelli@bigbox ~ $ sudo restorecon /dev/sde1 [sudo] password for muelli: muelli@bigbox ~ $ ls -lZ /dev/sde1 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sde1 muelli@bigbox ~ $ Then unplug and replug: Results in weird nautilus behaviour: It shows "FreeAgent750" (my disk) as being mounted (i.e. with the eject button the the right, in that places pane on the left. Even if I manually umount the disk. Trying to eject via the button yields: "umount: /media/FreeAgent750 mount disagrees with the fstab". And Nautilus mounts the disk to /media/FreeAgent750__ although /etc/fstab dictates /mnt/FreeAgent750: muelli@bigbox ~ $ grep FreeAgent /etc/fstab UUID="f899eb61-3dec-452e-82da-0d764494913a" /media/FreeAgent750 ext3 noatime 0 0 muelli@bigbox ~ $ ls -l /dev/disk/by-uuid/f899eb61-3dec-452e-82da-0d764494913a lrwxrwxrwx. 1 root root 10 18. Jun 22:25 /dev/disk/by-uuid/f899eb61-3dec-452e-82da-0d764494913a -> ../../sdd1 muelli@bigbox ~ $ Anyway, the label is the same: muelli@bigbox ~ $ ls -lZ /dev/sdd1 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdd1 muelli@bigbox ~ $ Relevant dmesg entries: sd 15:0:0:0: [sde] Unhandled error code sd 15:0:0:0: [sde] Result: hostbyte=DID_BUS_BUSY driverbyte=DRIVER_OK sd 15:0:0:0: [sde] CDB: Read(10): 28 00 30 8c 26 a7 00 01 00 00 end_request: I/O error, dev sde, sector 814491303 sd 15:0:0:0: [sde] Stopping disk sd 15:0:0:0: [sde] START_STOP FAILED sd 15:0:0:0: [sde] Result: hostbyte=DID_BUS_BUSY driverbyte=DRIVER_OK firewire_sbp2: released fw1.0, target 15:0:0 EXT3-fs error (device sde1): ext3_find_entry: reading directory #37085388 offset 0 scsi16 : SBP-2 IEEE-1394 firewire_core: created device fw1: GUID 0020370100002bca, S400 firewire_core: phy config: card 0, new root=ffc0, gap_count=5 firewire_sbp2: fw1.0: logged in to LUN 0000 (0 retries) scsi 16:0:0:0: Direct-Access Seagate FreeAgent Pro 4109 PQ: 0 ANSI: 4 sd 16:0:0:0: Attached scsi generic sg2 type 0 sd 16:0:0:0: [sdd] 1465149168 512-byte logical blocks: (750 GB/698 GiB) sd 16:0:0:0: [sdd] Write Protect is off sd 16:0:0:0: [sdd] Mode Sense: 1c 00 00 00 sd 16:0:0:0: [sdd] Cache data unavailable sd 16:0:0:0: [sdd] Assuming drive cache: write through sd 16:0:0:0: [sdd] Cache data unavailable sd 16:0:0:0: [sdd] Assuming drive cache: write through sdd: sdd1 sd 16:0:0:0: [sdd] Cache data unavailable sd 16:0:0:0: [sdd] Assuming drive cache: write through sd 16:0:0:0: [sdd] Attached SCSI disk kjournald starting. Commit interval 5 seconds EXT3-fs (sdd1): warning: maximal mount count reached, running e2fsck is recommended EXT3-fs (sdd1): using internal journal EXT3-fs (sdd1): recovery complete EXT3-fs (sdd1): mounted filesystem with ordered data mode SELinux: initialized (dev sdd1, type ext3), uses xattr EXT3-fs error (device sde1): ext3_find_entry: reading directory #2 offset 0 EXT3-fs error (device sde1): ext3_find_entry: reading directory #2 offset 0 EXT3-fs error (device sde1): ext3_find_entry: reading directory #2 offset 0 kjournald starting. Commit interval 5 seconds EXT3-fs (sdd1): warning: maximal mount count reached, running e2fsck is recommended EXT3-fs (sdd1): using internal journal EXT3-fs (sdd1): mounted filesystem with ordered data mode SELinux: initialized (dev sdd1, type ext3), uses xattr EXT3-fs error (device sdb1): ext3_find_entry: reading directory #2 offset 0 EXT3-fs error (device sdb1): ext3_find_entry: reading directory #2 offset 0 EXT3-fs error (device sdb1): ext3_find_entry: reading directory #2 offset 0 EXT3-fs error (device sdb1): ext3_find_entry: reading directory #2 offset 0 EXT3-fs error (device sdb1): ext3_find_entry: reading directory #2 offset 0 kjournald starting. Commit interval 5 seconds EXT3-fs (sdd1): warning: maximal mount count reached, running e2fsck is recommended EXT3-fs (sdd1): using internal journal EXT3-fs (sdd1): mounted filesystem with ordered data mode SELinux: initialized (dev sdd1, type ext3), uses xattr EXT3-fs error (device sdb1): ext3_find_entry: reading directory #2 offset 0 EXT3-fs error (device sdb1): ext3_find_entry: reading directory #2 offset 0 kjournald starting. Commit interval 5 seconds EXT3-fs (sdd1): warning: maximal mount count reached, running e2fsck is recommended EXT3-fs (sdd1): using internal journal EXT3-fs (sdd1): mounted filesystem with ordered data mode SELinux: initialized (dev sdd1, type ext3), uses xattr kjournald starting. Commit interval 5 seconds EXT3-fs (sdd1): warning: maximal mount count reached, running e2fsck is recommended EXT3-fs (sdd1): using internal journal EXT3-fs (sdd1): mounted filesystem with ordered data mode SELinux: initialized (dev sdd1, type ext3), uses xattr EXT3-fs error (device sdb1): ext3_find_entry: reading directory #2 offset 0 EXT3-fs error (device sdb1): ext3_find_entry: reading directory #2 offset 0 After a suspend/resume: I see the SELinux Denial alert libnotify bubble soon: node=(removed) type=AVC msg=audit(1276893214.504:59748): avc: denied { getattr } for pid=14489 comm="mount" path="/dev/sdd" dev=devtmpfs ino=20742198 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file node=(removed) type=SYSCALL msg=audit(1276893214.504:59748): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fffd982f8f0 a2=7fffd982f8f0 a3=1 items=0 ppid=14477 pid=14489 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) Some dmesg (only the last few lines): PM: resume of devices complete after 11774.011 msecs PM: Finishing wakeup. Restarting tasks ... done. sd 16:0:0:0: [sdd] Stopping disk sd 16:0:0:0: [sdd] START_STOP FAILED sd 16:0:0:0: [sdd] Result: hostbyte=DID_BUS_BUSY driverbyte=DRIVER_OK firewire_sbp2: released fw1.0, target 16:0:0 scsi17 : SBP-2 IEEE-1394 firewire_core: created device fw1: GUID 0020370100002bca, S400, 1 config ROM retries firewire_sbp2: fw1.0: logged in to LUN 0000 (0 retries) scsi 17:0:0:0: Direct-Access Seagate FreeAgent Pro 4109 PQ: 0 ANSI: 4 EXT3-fs error (device sdb1): ext3_find_entry: reading directory #2 offset 0 sd 17:0:0:0: [sdd] 1465149168 512-byte logical blocks: (750 GB/698 GiB) sd 17:0:0:0: Attached scsi generic sg2 type 0 sd 17:0:0:0: [sdd] Write Protect is off sd 17:0:0:0: [sdd] Mode Sense: 1c 00 00 00 sd 17:0:0:0: [sdd] Cache data unavailable sd 17:0:0:0: [sdd] Assuming drive cache: write through sd 17:0:0:0: [sdd] Cache data unavailable sd 17:0:0:0: [sdd] Assuming drive cache: write through sdd: ATL1E 0000:02:00.0: irq 32 for MSI/MSI-X ADDRCONF(NETDEV_UP): eth0: link is not ready EXT3-fs error (device sdb1): ext3_find_entry: reading directory #2 offset 0 ATL1E 0000:02:00.0: ATL1E: eth0 NIC Link is Up<100 Mbps Full Duplex> ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready sdd1 sd 17:0:0:0: [sdd] Cache data unavailable sd 17:0:0:0: [sdd] Assuming drive cache: write through sd 17:0:0:0: [sdd] Attached SCSI disk kjournald starting. Commit interval 5 seconds EXT3-fs (sdd1): warning: maximal mount count reached, running e2fsck is recommended EXT3-fs (sdd1): using internal journal EXT3-fs (sdd1): recovery complete EXT3-fs (sdd1): mounted filesystem with ordered data mode SELinux: initialized (dev sdd1, type ext3), uses xattr eth0: no IPv6 routers present The label, however, seems to be the same (in fairness, it took me quite some time to issue the ls command): muelli@bigbox ~ $ ls -lZ /dev/sdd1 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdd1 muelli@bigbox ~ $ ls -lZ /dev/sdd brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdd muelli@bigbox ~ $
This looks like a race condition. When suspend comes up, for a small amount of time, devices must not have labels on them, then udev starts up and fixes everything. Since mount can getattr all blk devices, there is no reason not to add dev_getattr_generic_blk_files(mount_t)
Fixed in selinux-policy-3.7.19-31.fc13.
If this is supposed to work without a reboot than it didn't work. I'll try to report back after I've rebooted.
Doesn't work after a reboot: bug 608403. Oh I just realised in this moment that I don't have selinux-policy-3.7.19-31.fc13 installed. I apparently has not been propagated for updates. Sorry for the noise. I'll wait until the package becomes available.
*** Bug 608403 has been marked as a duplicate of this bug. ***