Bug 622929 - SELinux verhindert /sbin/mount.crypt "write" Zugriff on mapper.
SELinux verhindert /sbin/mount.crypt "write" Zugriff on mapper.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
12
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:9b153109f41...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-10 15:59 EDT by Joachim Katzer
Modified: 2010-08-25 20:57 EDT (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-3.6.32-121.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-25 20:57:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joachim Katzer 2010-08-10 15:59:16 EDT
Summary:

SELinux prevents /sbin/mount.crypt "write" access on mapper.

Detailed Description:

After installing the updates  cryptsetup-luks-1.1.3-1.fc12.i686, pam_mount-2.4-2.fc12.i686 
and libHX-3.4-1.fc12.i686 login to an account with a LUKS encrypted home directory on a logical volume was no
more possible - unless SELinux is disabled.

Additional Information:

Source Context                system_u:system_r:mount_t:s0-s0:c0.c1023
Target Context                system_u:object_r:device_t:s0
Target Objects                mapper [ dir ]
Source                        mount.crypt
Source Path                   /sbin/mount.crypt
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           pam_mount-2.4-2.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-118.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.32.16-150.fc12.i686 #1 SMP Sat
                              Jul 24 05:31:53 UTC 2010 i686 i686
Alert Count                   8
First Seen                    Sat 07 Aug 2010 08:19:36 PM CEST
Last Seen                     Tue 10 Aug 2010 06:53:25 PM CEST
Local ID                      90ccf01b-94eb-4ad9-8a1c-5e47704fe449
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1281459205.264:10): avc:  denied  { write } for  pid=1880 comm="mount.crypt" name="mapper" dev=devtmpfs ino=5281 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1281459205.264:10): arch=40000003 syscall=14 success=no exit=-13 a0=bfb615fc a1=61b0 a2=fd03 a3=fd03 items=0 ppid=1879 pid=1880 auid=4294967295 uid=0 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="mount.crypt" exe="/sbin/mount.crypt" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,mount.crypt,mount_t,device_t,dir,write
audit2allow suggests:

#============= mount_t ==============
#!!!! The source type 'mount_t' can write to a 'dir' of the following types:
# etc_runtime_t, mount_var_run_t, mount_tmp_t, tmp_t, var_t, user_home_dir_t, etc_t, nfs_t, tmpfs_t, var_run_t, user_home_t

allow mount_t device_t:dir write;
Comment 1 Joachim Katzer 2010-08-10 16:17:32 EDT
As requested by Till Maas in https://bugzilla.redhat.com/show_bug.cgi?id=599609 I am filing a new bug report herewith.

The discussion in thread 599609 let me find a workaround:

chcon -t lvm_exec_t /sbin/mount.crypt

Is lvm_exec_t now the intended context of mount.crypt? Currently, in
selinux-policy-3.6.32-118.fc12.noarch it seems to be mount_exec_t which does
not work:

# restorecon -v -n /sbin/mount.crypt
restorecon reset /sbin/mount.crypt context
system_u:object_r:lvm_exec_t:s0->system_u:object_r:mount_exec_t:s0    




/etc/security/pam_mount.conf.xml:
...
<debug enable="1"/>
<volume user="private" mountpoint="/home/private" path="/dev/vg_host/home" fstype="crypt" />
...

Logs in /var/log/messages:

Aug 10 22:01:54 localhost pam: gdm-password[5590]: pam_mount(pam_mount.c:364): pam_mount 2.4: entering auth stage
Aug 10 22:01:58 localhost pam: gdm-password[5590]: pam_mount(pam_mount.c:553): pam_mount 2.4: entering session stage
Aug 10 22:01:58 localhost pam: gdm-password[5590]: pam_mount(misc.c:38): Session open: (e/ruid=0/0, e/rgid=502/502)
Aug 10 22:01:58 localhost pam: gdm-password[5590]: pam_mount(mount.c:196): Mount info: globalconf, user=private <volume fstype="crypt" server="(null)" path="/dev/vg_host/home" mountpoint="/home/private" cipher="(null)" fskeypath="(null)" fskeycipher="(null)" fskeyhash="(null)" options="" /> fstab=0
Aug 10 22:01:58 localhost pam: gdm-password[5590]: command: 'mount' '-t' 'crypt' '/dev/vg_host/home' '/home/private' 
Aug 10 22:01:58 localhost pam: gdm-password[5701]: pam_mount(misc.c:38): set_myuid<pre>: (e/ruid=0/0, e/rgid=502/502)
Aug 10 22:01:58 localhost pam: gdm-password[5701]: pam_mount(misc.c:38): set_myuid<post>: (e/ruid=0/0, e/rgid=502/502)
Aug 10 22:01:58 localhost pam: gdm-password[5590]: pam_mount(mount.c:64): Errors from underlying mount program:
Aug 10 22:01:58 localhost pam: gdm-password[5590]: pam_mount(mount.c:68): crypt_activate_by_passphrase: File exists
Aug 10 22:01:58 localhost pam: gdm-password[5590]: pam_mount(pam_mount.c:521): mount of /dev/vg_host/home failed
Comment 2 Daniel Walsh 2010-08-11 08:43:40 EDT
Yes it should be lvm_exec_t and this needs to be back ported to F12.
Comment 3 Miroslav Grepl 2010-08-17 06:40:28 EDT
Fixed in selinux-policy-3.6.32-121.fc12
Comment 4 Fedora Update System 2010-08-20 06:27:48 EDT
selinux-policy-3.6.32-121.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-121.fc12
Comment 5 Fedora Update System 2010-08-21 00:31:30 EDT
selinux-policy-3.6.32-121.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-121.fc12
Comment 6 Fedora Update System 2010-08-25 20:56:25 EDT
selinux-policy-3.6.32-121.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.