SELinux is preventing /bin/mount from 'remove_name' accesses on the dossier mtab~1948. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If vous souhaitez autoriser mount à accéder à remove_name sur mtab~1948 directory Then you need to change the label on mtab~1948 Do # semanage fcontext -a -t FILE_TYPE 'mtab~1948' where FILE_TYPE is one of the following: var_t, abrt_var_cache_t. Then execute: restorecon -v 'mtab~1948' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that mount should be allowed remove_name access on the mtab~1948 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mount /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 Target Context system_u:object_r:etc_t:s0 Target Objects mtab~1948 [ dir ] Source mount Source Path /bin/mount Port <Inconnu> Host (removed) Source RPM Packages util-linux-ng-2.18-4.8.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-42.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.35.13-92.fc14.i686.PAE #1 SMP Sat May 21 17:33:09 UTC 2011 i686 i686 Alert Count 1 First Seen jeu. 11 août 2011 14:59:04 CEST Last Seen jeu. 11 août 2011 14:59:04 CEST Local ID a733afcc-e861-4b43-9410-18111437f8b7 Raw Audit Messages type=AVC msg=audit(1313067544.460:23198): avc: denied { remove_name } for pid=1948 comm="mount" name="mtab~1948" dev=sda7 ino=7000 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=AVC msg=audit(1313067544.460:23198): avc: denied { unlink } for pid=1948 comm="mount" name="mtab~1948" dev=sda7 ino=7000 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1313067544.460:23198): arch=i386 syscall=unlink success=yes exit=0 a0=bfe4e58d a1=d a2=e884f8 a3=0 items=0 ppid=1947 pid=1948 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=mount exe=/bin/mount subj=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 key=(null) Hash: mount,abrt_helper_t,etc_t,dir,remove_name audit2allow #============= abrt_helper_t ============== allow abrt_helper_t etc_t:dir remove_name; allow abrt_helper_t etc_t:file unlink; audit2allow -R #============= abrt_helper_t ============== allow abrt_helper_t etc_t:dir remove_name; allow abrt_helper_t etc_t:file unlink;
Lets change the label to /etc/mtab.* -- gen_context(system_u:object_r:etc_runtime_t,s0) In RHEL6, F14-Rawhide.
Added to RHEL6.
selinux-policy-3.9.7-46.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-46.fc14
Package selinux-policy-3.9.7-46.fc14: * should fix your issue, * was pushed to the Fedora 14 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-46.fc14' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-14734 then log in and leave karma (feedback).
selinux-policy-3.9.7-46.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.