Bug 964943 - SELinux is preventing /usr/bin/mount from 'mounton' accesses on the directory /proc/fs/nfsd.
SELinux is preventing /usr/bin/mount from 'mounton' accesses on the directory...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:e3675725b134aca53a4ade18594...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-19 18:59 EDT by Ed Greshko
Modified: 2013-07-03 20:54 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-57.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-03 20:54:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ed Greshko 2013-05-19 18:59:36 EDT
Description of problem:
systemctl enable nfs-mountd.service
systemctl start nfs-mountd.service
SELinux is preventing /usr/bin/mount from 'mounton' accesses on the directory /proc/fs/nfsd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mount should be allowed mounton access on the nfsd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mount /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:nfsd_t:s0
Target Context                system_u:object_r:nfsd_fs_t:s0
Target Objects                /proc/fs/nfsd [ dir ]
Source                        mount
Source Path                   /usr/bin/mount
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           util-linux-2.23-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-44.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.2-301.fc19.x86_64 #1 SMP Mon
                              May 13 12:36:24 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-05-20 05:36:41 CST
Last Seen                     2013-05-20 05:36:41 CST
Local ID                      94e688eb-4396-4410-96aa-6d1fb10da6ad

Raw Audit Messages
type=AVC msg=audit(1368999401.117:544): avc:  denied  { mounton } for  pid=20807 comm="mount" path="/proc/fs/nfsd" dev="nfsd" ino=1 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir


type=SYSCALL msg=audit(1368999401.117:544): arch=x86_64 syscall=mount success=no exit=EACCES a0=7f5c30bf6240 a1=7f5c30bf6260 a2=7f5c30bf6220 a3=c0ed0001 items=0 ppid=20803 pid=20807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mount exe=/usr/bin/mount subj=system_u:system_r:nfsd_t:s0 key=(null)

Hash: mount,nfsd_t,nfsd_fs_t,dir,mounton

audit2allow

#============= nfsd_t ==============
allow nfsd_t nfsd_fs_t:dir mounton;

audit2allow -RYou must regenerate interface info by running /usr/bin/sepolgen-ifgen


Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.2-301.fc19.x86_64
type:           libreport

Potential duplicate: bug 860444
Comment 1 Daniel Walsh 2013-05-22 14:53:06 EDT
f1a9efdda4b3095034ce9ae96ae21e653756f5bc fixes this in git.
Comment 2 Fedora Update System 2013-05-29 10:19:57 EDT
selinux-policy-3.12.1-47.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-47.fc19
Comment 3 Fedora Update System 2013-05-29 13:46:55 EDT
Package selinux-policy-3.12.1-47.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-47.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-9565/selinux-policy-3.12.1-47.fc19
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2013-05-29 23:33:55 EDT
selinux-policy-3.12.1-47.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Dean Hunter 2013-06-20 13:50:40 EDT
This problem is occurring with selinux-policy-3.12.1-52.fc19.noarch.


SELinux is preventing /usr/bin/mount from mounton access on the directory /proc/fs/nfsd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mount should be allowed mounton access on the nfsd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mount /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:nfsd_t:s0
Target Context                system_u:object_r:nfsd_fs_t:s0
Target Objects                /proc/fs/nfsd [ dir ]
Source                        mount
Source Path                   /usr/bin/mount
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           util-linux-2.23.1-3.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-52.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux ipa19.hunter.org 3.9.6-301.fc19.x86_64 #1
                              SMP Mon Jun 17 14:26:26 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-06-20 12:39:43 CDT
Last Seen                     2013-06-20 12:39:43 CDT
Local ID                      59eed9f2-5352-4662-b402-a43b7d45ee68

Raw Audit Messages
type=AVC msg=audit(1371749983.981:831): avc:  denied  { mounton } for  pid=2492 comm="mount" path="/proc/fs/nfsd" dev="nfsd" ino=1 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir


type=SYSCALL msg=audit(1371749983.981:831): arch=x86_64 syscall=mount success=no exit=EACCES a0=7fd1df385240 a1=7fd1df385260 a2=7fd1df385220 a3=c0ed0001 items=0 ppid=2491 pid=2492 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mount exe=/usr/bin/mount subj=system_u:system_r:nfsd_t:s0 key=(null)

Hash: mount,nfsd_t,nfsd_fs_t,dir,mounton
Comment 6 Daniel Walsh 2013-06-21 09:00:02 EDT
02348b2647f3ea372130ee7d72a1ba30303c83d4
and
7b4c79a924895e79e06abc472af8c00c1f10ae72
Fixes this in git
Comment 7 Fedora Update System 2013-06-26 16:18:09 EDT
selinux-policy-3.12.1-57.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-57.fc19
Comment 8 Fedora Update System 2013-06-27 11:48:33 EDT
Package selinux-policy-3.12.1-57.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-57.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-11846/selinux-policy-3.12.1-57.fc19
then log in and leave karma (feedback).
Comment 9 Dean Hunter 2013-07-02 14:17:16 EDT
I have verified that this update resolves the problem for me and I have updated the karma.
Comment 10 Miroslav Grepl 2013-07-03 08:50:26 EDT
Thank you for testing.
Comment 11 Fedora Update System 2013-07-03 20:54:32 EDT
selinux-policy-3.12.1-57.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.