This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 608403 - SELinux is preventing /bin/mount "getattr" access to device /dev/sdc.
SELinux is preventing /bin/mount "getattr" access to device /dev/sdc.
Status: CLOSED DUPLICATE of bug 605771
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:16118762bc5...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-27 06:30 EDT by Tobias Mueller
Modified: 2010-06-28 07:06 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-28 07:06:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tobias Mueller 2010-06-27 06:30:54 EDT
Summary:

SELinux is preventing /bin/mount "getattr" access to device /dev/sdc.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux has denied mount "getattr" access to device /dev/sdc. /dev/sdc is
mislabeled, this device has the default label of the /dev directory, which
should not happen. All Character and/or Block Devices should have a label. You
can attempt to change the label of the file using restorecon -v '/dev/sdc'. If
this device remains labeled device_t, then this is a bug in SELinux policy.
Please file a bg report. If you look at the other similar devices labels, ls -lZ
/dev/SIMILAR, and find a type that would work for /dev/sdc, you can use chcon -t
SIMILAR_TYPE '/dev/sdc', If this fixes the problem, you can make this permanent
by executing semanage fcontext -a -t SIMILAR_TYPE '/dev/sdc' If the restorecon
changes the context, this indicates that the application that created the
device, created it without using SELinux APIs. If you can figure out which
application created the device, please file a bug report against this
application.

Allowing Access:

Attempt restorecon -v '/dev/sdc' or chcon -t SIMILAR_TYPE '/dev/sdc'

Additional Information:

Source Context                system_u:system_r:mount_t:s0
Target Context                system_u:object_r:device_t:s0
Target Objects                /dev/sdc [ blk_file ]
Source                        mount
Source Path                   /bin/mount
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           util-linux-ng-2.17.2-5.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-28.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   device
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.5-124.fc13.x86_64 #1 SMP Fri
                              Jun 11 09:38:12 UTC 2010 x86_64 x86_64
Alert Count                   34
First Seen                    Do 17 Jun 2010 20:52:06 CEST
Last Seen                     So 27 Jun 2010 11:35:24 CEST
Local ID                      a023f1c6-74ca-4680-b292-b563b6a40d31
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1277631324.704:28245): avc:  denied  { getattr } for  pid=14677 comm="mount" path="/dev/sdc" dev=devtmpfs ino=6182187 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file

node=(removed) type=SYSCALL msg=audit(1277631324.704:28245): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fff79661c40 a2=7fff79661c40 a3=1 items=0 ppid=14665 pid=14677 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)




I was resuming my suspended machine with my external harddrive attache via FireWire.
See also bug 605771.
Hash String generated from  device,mount,mount_t,device_t,blk_file,getattr
audit2allow suggests:

#============= mount_t ==============
allow mount_t device_t:blk_file getattr;
Comment 1 Miroslav Grepl 2010-06-28 07:06:32 EDT

*** This bug has been marked as a duplicate of bug 605771 ***

Note You need to log in before you can comment on or make changes to this bug.