Bug 620583 - SELinux is preventing /usr/sbin/sshd "execute" access on /sbin/mount.crypt (pam_mount)
SELinux is preventing /usr/sbin/sshd "execute" access on /sbin/mount.crypt (p...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: pam_mount (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Till Maas
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-02 18:06 EDT by Kevin R. Page
Modified: 2010-10-28 18:20 EDT (History)
2 users (show)

See Also:
Fixed In Version: pam_mount-2.5-1.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-09-04 00:52:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Kevin R. Page 2010-08-02 18:06:31 EDT
pam_mount configured. When logging in via ssh, the mount is fine:

Aug  2 23:01:43 chorlton kernel: EXT4-fs (dm-8): mounted filesystem with ordered data mode
Aug  2 23:01:45 chorlton kernel: EXT4-fs (dm-9): mounted filesystem with ordered data mode

But on logout (and unmount):

Aug  2 23:02:41 chorlton sshd[12371]: pam_mount(mount.c:64): umount messages:
Aug  2 23:02:41 chorlton sshd[12371]: pam_mount(mount.c:68): HXproc_run_async: umount.crypt: Permission denied
Aug  2 23:02:41 chorlton sshd[12371]: pam_mount(mount.c:705): unmount of /dev/chorlton_vg0/chorlton_lv_common_cryptmount failed
Aug  2 23:02:41 chorlton sshd[12371]: pam_mount(mount.c:64): umount messages:
Aug  2 23:02:41 chorlton sshd[12371]: pam_mount(mount.c:68): HXproc_run_async: umount.crypt: Permission denied
Aug  2 23:02:41 chorlton sshd[12371]: pam_mount(mount.c:705): unmount of /dev/chorlton_vg0/chorlton_lv_krp_cryptmount failed
Aug  2 23:02:43 chorlton setroubleshoot: SELinux is preventing /usr/sbin/sshd "execute" access on /sbin/mount.crypt. For complete SELinux messages. run sealert -l 30a7cc21-ba9c-4e0a-b1ce-95fd8e6d795d
Aug  2 23:02:43 chorlton setroubleshoot: SELinux is preventing /usr/sbin/sshd "execute" access on /sbin/mount.crypt. For complete SELinux messages. run sealert -l 30a7cc21-ba9c-4e0a-b1ce-95fd8e6d795d


# sealert -l 30a7cc21-ba9c-4e0a-b1ce-95fd8e6d795d

Summary:

SELinux is preventing /usr/sbin/sshd "execute" access on /sbin/mount.crypt.

Detailed Description:

SELinux denied access requested by sshd. It is not expected that this access is
required by sshd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:lvm_exec_t:s0
Target Objects                /sbin/mount.crypt [ file ]
Source                        sshd
Source Path                   /usr/sbin/sshd
Port                          <Unknown>
Host                          chorlton
Source RPM Packages           openssh-server-5.4p1-3.fc13
Target RPM Packages           pam_mount-2.4-2.fc13
Policy RPM                    selinux-policy-3.7.19-39.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     chorlton
Platform                      Linux chorlton 2.6.33.6-147.fc13.x86_64 #1 SMP Tue
                              Jul 6 22:32:17 UTC 2010 x86_64 x86_64
Alert Count                   57
First Seen                    Mon Aug  2 21:37:42 2010
Last Seen                     Mon Aug  2 23:02:41 2010
Local ID                      30a7cc21-ba9c-4e0a-b1ce-95fd8e6d795d
Line Numbers                  

Raw Audit Messages            

node=chorlton type=AVC msg=audit(1280786561.4:34092): avc:  denied  { execute } for  pid=12479 comm="sshd" name="mount.crypt" dev=dm-0 ino=524435 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file

node=chorlton type=SYSCALL msg=audit(1280786561.4:34092): arch=c000003e syscall=59 success=no exit=-13 a0=7fff90feb227 a1=7f631f467ab0 a2=7f631f456ea0 a3=7f631bb54240 items=0 ppid=12371 pid=12479 auid=1976 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=30 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)


/etc/pam.d/sshd :
#%PAM-1.0
auth       required     pam_sepermit.so
auth       optional     pam_mount.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_mount.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
Comment 1 Daniel Walsh 2010-08-03 09:44:01 EDT
Is pam_mount executing mount.crypt directly?  If should be executing umount which would cause the proper transitions to happen.
Comment 2 Till Maas 2010-08-03 10:06:09 EDT
(In reply to comment #1)
> Is pam_mount executing mount.crypt directly?  If should be executing umount
> which would cause the proper transitions to happen.    

Yes, it is.

Kevin, you can probably work around this until I created an update with adding this to your /etc/security/pam_mount.conf.xml file:
<cryptumount>umount %(MNTPT)</cryptumount>

Please report back, whether this work around helps.
Comment 3 Kevin R. Page 2010-08-03 16:26:17 EDT
(In reply to comment #2)
> Kevin, you can probably work around this until I created an update with adding
> this to your /etc/security/pam_mount.conf.xml file:
> <cryptumount>umount %(MNTPT)</cryptumount>

Yes, adding that config option work around prevents the selinux trigger.

Many thanks.
Comment 4 Fedora Update System 2010-08-16 16:43:11 EDT
pam_mount-2.5-1.fc13,libHX-3.5-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/pam_mount-2.5-1.fc13,libHX-3.5-1.fc13
Comment 5 Fedora Update System 2010-08-16 16:43:29 EDT
pam_mount-2.5-1.fc12,libHX-3.5-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/pam_mount-2.5-1.fc12,libHX-3.5-1.fc12
Comment 6 Fedora Update System 2010-08-16 16:43:49 EDT
pam_mount-2.5-1.fc14,libHX-3.5-1.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/pam_mount-2.5-1.fc14,libHX-3.5-1.fc14
Comment 7 Fedora Update System 2010-08-17 15:36:12 EDT
pam_mount-2.5-1.fc14, libHX-3.6-1.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update pam_mount libHX'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/pam_mount-2.5-1.fc14,libHX-3.6-1.fc14
Comment 8 Fedora Update System 2010-09-04 00:52:33 EDT
pam_mount-2.5-1.fc12, libHX-3.6-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2010-09-04 00:56:31 EDT
pam_mount-2.5-1.fc13, libHX-3.6-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2010-10-28 18:20:14 EDT
pam_mount-2.5-1.fc14, libHX-3.6-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.