Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 235145 - fuse changes security context of /etc/mtab
Summary: fuse changes security context of /etc/mtab
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: fuse
Version: 6
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Peter Lemenkov
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-03 23:11 UTC by Yves Perrenoud
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-06-05 21:26:29 UTC


Attachments (Terms of Use)

Description Yves Perrenoud 2007-04-03 23:11:55 UTC
+++ This bug was initially created as a clone of Bug #188561 +++

Description of problem:
fuse changes security context of /etc/mtab when it mounts or umounts.
which results in 
audit(1144746982.448:5): avc:  denied  { write } for  pid=3273 comm="mount"
name="mtab" dev=md0 ino=7014388 scontext=system_u:system_r:mount_t:s0
tcontext=user_u:object_r:etc_t:s0 tclass=file
when I try to unmount/mount a usb pen drive.
and I also gets tons of avcs during shutdown.

Version-Release number of selected component (if applicable):
fuse-2.5.2-4.fc5

How reproducible:
always!

Steps to Reproduce:
1. mount anything using fuse (sshfs)
2. umount it,mount a usb pen drive
3. notice avcs
4. shutdown notice tons of avcs.
  
Actual results:
audit(1144746982.448:5): avc:  denied  { write } for  pid=3273 comm="mount"
name="mtab" dev=md0 ino=7014388 scontext=system_u:system_r:mount_t:s0
tcontext=user_u:object_r:etc_t:s0 tclass=file
and no mtab entry for new mounted devices.

Expected results:

it should not change the file context

Additional info:
selinux-policy-2.2.29-3.fc5
selinux-policy-targeted-2.2.29-3.fc5

-- Additional comment from yves-redhat@xpand.org on 2006-07-27 13:49 EST --
I found the problem, fixed it and sent a patch upstream to the fuse-devel
mailing list. fusermount was re-creating /etc/mtab on unmount, but it wasn't
restoring the security context of the old file it was replacing.

-- Additional comment from drago01@gmail.com on 2007-02-09 06:03 EST --
I can confirm that its fixed ;)

-- Additional comment from yves-redhat@xpand.org on 2007-03-26 07:14 EST --
This problem isn't fixed in packages in Extras for FC5 and FC6. Indeed the patch
I submitted upstream has made it into the source used to build the packages, but
the fusermount binary in the rpms built for the Extras repositories, doesn't
contain the fix. The only explanation for that is that the build environment
doesn't include the libselinux and libselinux-devel packages. Hence the
fusermount binary never includes the selinux specific code.

If I rebuild the src rpm as-is, I obtain a fusermount binary that includes the
code and hence solves the problem.

I suggest adding the following to the spec file:

BuildRequires: libselinux, libselinux-devel

This should definitely ensure the problem is solved.

Comment 1 Peter Lemenkov 2007-04-04 04:21:55 UTC
Hmmm.
Could you check whether it works if we BR only libselinux-devel? Or its
necessary to BR both libselinux and libselinux-devel?

Comment 2 Yves Perrenoud 2007-05-31 07:03:51 UTC
What triggers the inclusion of the selinux code in fusermount is based on the
results of an AC_CHECK_LIB (for libselinux) I added to configure.in. The way
configure checks for the presents of the library is by compiling a snippet of
test code using a "-l<lib>". Hence gcc must be only looking for libselinux.a as
there's no attempt to actually execute the code. Thus I'm fairly confident that
only including "libselinux-devel" in the BuildRequires should do the job.


Comment 3 Peter Lemenkov 2007-06-05 21:26:29 UTC
OK, added.
Let's wait next version.


Note You need to log in before you can comment on or make changes to this bug.