Description of problem: The auto.smb script is blocked by selinux. Using it triggers multiple selinux alerts Version-Release number of selected component (if applicable): autofs-5.0.7-10.fc18 How reproducible: Access an cifs mount via automount Steps to Reproduce: 1. setup automount to use auto.smb 2. 3. Actual results: the following Se alerts are triggered and nothing is mounted SELinux is preventing /usr/bin/smbclient from block_suspend access on the capability2 (for every share on this server) SELinux is preventing /usr/bin/systemd-ask-password from setattr access on the file tmp.ydLETj. (the file name is random and changes) SELinux is preventing /usr/bin/systemd-ask-password from create access on the sock_file sck.6628750746728764967 SELinux is preventing /usr/bin/systemd-ask-password from remove_name access on the directory tmp.ydLETj. Expected results: No errors and the shares mounted Additional info:
Please attach the AVC messages. ausearch -m avc -ts recent
The above command doesn't diplay anything However, here is the complete SELinux output This are in total 4 SELinux alerts. However, in the wrong order. thr last one appeared first and the top one is the last one. SELinux is preventing /usr/bin/systemd-ask-password from remove_name access on the directory tmp.bgSlT1. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-ask-password should be allowed remove_name access on the tmp.bgSlT1 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-ask-pas /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mount_t:s0 Target Context system_u:object_r:systemd_passwd_var_run_t:s0 Target Objects tmp.bgSlT1 [ dir ] Source systemd-ask-pas Source Path /usr/bin/systemd-ask-password Port <Unknown> Host tesla.hlawacek.net Source RPM Packages systemd-197-1.fc18.2.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-82.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tesla.hlawacek.net Platform Linux tesla.hlawacek.net 3.8.2-206.fc18.x86_64 #1 SMP Fri Mar 8 15:03:34 UTC 2013 x86_64 x86_64 Alert Count 8 First Seen 2013-03-10 16:43:21 CET Last Seen 2013-03-17 21:07:33 CET Local ID 65587c4c-b846-407d-8669-467528f621fb Raw Audit Messages type=AVC msg=audit(1363550853.913:527): avc: denied { remove_name } for pid=17699 comm="systemd-ask-pas" name="tmp.bgSlT1" dev="tmpfs" ino=647580 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1363550853.913:527): arch=x86_64 syscall=unlink success=no exit=EACCES a0=7fff8f1eba80 a1=0 a2=7ff8b53c8798 a3=7fff8f1eaf80 items=0 ppid=17698 pid=17699 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-ask-pas exe=/usr/bin/systemd-ask-password subj=system_u:system_r:mount_t:s0 key=(null) Hash: systemd-ask-pas,mount_t,systemd_passwd_var_run_t,dir,remove_name audit2allow #============= mount_t ============== allow mount_t systemd_passwd_var_run_t:dir remove_name; audit2allow -R #============= mount_t ============== allow mount_t systemd_passwd_var_run_t:dir remove_name; and one more: If you believe that systemd-ask-password should be allowed create access on the sck.17549035308735790780 sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-ask-pas /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mount_t:s0 Target Context system_u:object_r:systemd_passwd_var_run_t:s0 Target Objects sck.17549035308735790780 [ sock_file ] Source systemd-ask-pas Source Path /usr/bin/systemd-ask-password Port <Unknown> Host tesla.hlawacek.net Source RPM Packages systemd-197-1.fc18.2.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-82.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tesla.hlawacek.net Platform Linux tesla.hlawacek.net 3.8.2-206.fc18.x86_64 #1 SMP Fri Mar 8 15:03:34 UTC 2013 x86_64 x86_64 Alert Count 8 First Seen 2013-03-10 16:43:21 CET Last Seen 2013-03-17 21:07:33 CET Local ID b3cd8052-4cec-4d66-b6e3-f3cfaeb960b7 Raw Audit Messages type=AVC msg=audit(1363550853.913:526): avc: denied { create } for pid=17699 comm="systemd-ask-pas" name="sck.17549035308735790780" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1363550853.913:526): arch=x86_64 syscall=bind success=no exit=EACCES a0=5 a1=7fff8f1ebae0 a2=34 a3=80800 items=0 ppid=17698 pid=17699 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-ask-pas exe=/usr/bin/systemd-ask-password subj=system_u:system_r:mount_t:s0 key=(null) Hash: systemd-ask-pas,mount_t,systemd_passwd_var_run_t,sock_file,create audit2allow #============= mount_t ============== allow mount_t systemd_passwd_var_run_t:sock_file create; audit2allow -R #============= mount_t ============== allow mount_t systemd_passwd_var_run_t:sock_file create; and an other one SELinux is preventing /usr/bin/systemd-ask-password from setattr access on the file tmp.bgSlT1. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-ask-password should be allowed setattr access on the tmp.bgSlT1 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-ask-pas /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mount_t:s0 Target Context system_u:object_r:systemd_passwd_var_run_t:s0 Target Objects tmp.bgSlT1 [ file ] Source systemd-ask-pas Source Path /usr/bin/systemd-ask-password Port <Unknown> Host tesla.hlawacek.net Source RPM Packages systemd-197-1.fc18.2.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-82.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tesla.hlawacek.net Platform Linux tesla.hlawacek.net 3.8.2-206.fc18.x86_64 #1 SMP Fri Mar 8 15:03:34 UTC 2013 x86_64 x86_64 Alert Count 8 First Seen 2013-03-10 16:43:21 CET Last Seen 2013-03-17 21:07:33 CET Local ID 60f2d5a5-a22b-4ee7-9a11-f5fedc77a823 Raw Audit Messages type=AVC msg=audit(1363550853.913:525): avc: denied { setattr } for pid=17699 comm="systemd-ask-pas" name="tmp.bgSlT1" dev="tmpfs" ino=647580 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1363550853.913:525): arch=x86_64 syscall=fchmod success=no exit=EACCES a0=3 a1=1a4 a2=11 a3=3b451eb222 items=0 ppid=17698 pid=17699 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-ask-pas exe=/usr/bin/systemd-ask-password subj=system_u:system_r:mount_t:s0 key=(null) Hash: systemd-ask-pas,mount_t,systemd_passwd_var_run_t,file,setattr audit2allow #============= mount_t ============== allow mount_t systemd_passwd_var_run_t:file setattr; audit2allow -R #============= mount_t ============== allow mount_t systemd_passwd_var_run_t:file setattr; and this is the last one SELinux is preventing /usr/bin/smbclient from block_suspend access on the capability2 . ***** Plugin catchall (100. confidence) suggests *************************** If you believe that smbclient should be allowed block_suspend access on the capability2 by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep smbclient /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:automount_t:s0 Target Context system_u:system_r:automount_t:s0 Target Objects [ capability2 ] Source smbclient Source Path /usr/bin/smbclient Port <Unknown> Host tesla.hlawacek.net Source RPM Packages samba-client-4.0.3-2.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-82.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tesla.hlawacek.net Platform Linux tesla.hlawacek.net 3.8.2-206.fc18.x86_64 #1 SMP Fri Mar 8 15:03:34 UTC 2013 x86_64 x86_64 Alert Count 23 First Seen 2013-03-10 16:43:21 CET Last Seen 2013-03-17 21:07:33 CET Local ID 6a38e3a5-c9f7-43af-92c0-d092de283337 Raw Audit Messages type=AVC msg=audit(1363550853.216:506): avc: denied { block_suspend } for pid=17613 comm="smbclient" capability=36 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:system_r:automount_t:s0 tclass=capability2 type=SYSCALL msg=audit(1363550853.216:506): arch=x86_64 syscall=epoll_ctl success=yes exit=0 a0=8 a1=2 a2=6 a3=7fff14fd4ba0 items=0 ppid=17612 pid=17613 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=smbclient exe=/usr/bin/smbclient subj=system_u:system_r:automount_t:s0 key=(null) Hash: smbclient,automount_t,automount_t,capability2,block_suspend audit2allow #============= automount_t ============== allow automount_t self:capability2 block_suspend; audit2allow -R #============= automount_t ============== allow automount_t self:capability2 block_suspend;
Looks like mount is running systemd-ask-password, were these password encrypted mount points?
f272e3b090ad5452d84e20cf341cc3220b3c93c9 and 637986456978fd0a8f098eb2670fa5f602f875ed Fix this in git.
Back ported.
selinux-policy-3.11.1-87.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-87.fc18
Package selinux-policy-3.11.1-87.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-87.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-4251/selinux-policy-3.11.1-87.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-87.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.