On 1/16/19 6:06 PM, Chris PeBenito wrote:
> On 1/14/19 10:20 PM, Sugar, David wrote:
>> I see this denial when mounting media. I'm running mount_exec_t
>> from my domain, not transitioning.
>>
>> type=AVC msg=audit(1547086778.470:331): avc: denied { read write }
>> for pid=11172 comm="mount" name="mount" dev="tmpfs" ino=9470
>> scontext=sysadm_u:sysadm_r:settings_sudo_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:mount_runtime_t:s0 tclass=dir permissive=1
>
> Seems like there is a leaked file descriptor.
>
I have done some more looking into what is going on here and I just
wanted to close the loop in case this comes up again from somewhere. I
ran strace to see what is going on and the following snippet from that
output is relevant:
This is the default case on RHEL7. It appears that mount is trying to
access a file /run/mount/utab (that doesn't exist).
stat("/run", {st_mode=S_IFDIR|0755, st_size=740, ...}) = 0
lstat("/run/mount/utab", 0x7ffd6ac8b0e0) = -1 ENOENT (No such file or
directory)
mkdir("/run/mount", 0755) = -1 EEXIST (File exists)
stat("/run/mount/utab", 0x7ffd6ac8afd0) = -1 ENOENT (No such file or
directory)
stat("/run/mount", {st_mode=S_IFDIR|0755, st_size=40, ...}) = 0
geteuid() = 0
getegid() = 0
getuid() = 0
getgid() = 0
access("/run/mount", R_OK|W_OK) = 0
If I create the file /run/mount/utab I get slightly a different result:
stat("/run", {st_mode=S_IFDIR|0755, st_size=740, ...}) = 0
lstat("/run/mount/utab", {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
stat("/run/mount/utab", {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
geteuid() = 0
getegid() = 0
getuid() = 0
getgid() = 0
access("/run/mount/utab", R_OK|W_OK) = 0
I don't know what is supposed to be creating /run/mount/utab. I see it
exist on a Fedora 29 machine, but not a clean RHEL 7.6 machine.
I ended up using systemd-tmpfiles to create the file /run/mount/utab.
At this point I am able to get everything to work using the existing
mount_rw_runtime_files interface.
I guess this is the long way of saying that this patch can be ignored
but for anyone else seeing the problem they need to create the
/run/mount/utab file to work around the denial.
>
>> Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
>> ---
>> policy/modules/system/mount.if | 18 ++++++++++++++++++
>> 1 file changed, 18 insertions(+)
>>
>> diff --git a/policy/modules/system/mount.if
>> b/policy/modules/system/mount.if
>> index bf9a8bf3..31475bde 100644
>> --- a/policy/modules/system/mount.if
>> +++ b/policy/modules/system/mount.if
>> @@ -220,3 +220,21 @@ interface(`mount_rw_runtime_files',`
>> rw_files_pattern($1, mount_runtime_t, mount_runtime_t)
>> ')
>> +########################################
>> +## <summary>
>> +## Read and write mount runtime directory
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`mount_rw_runtime_dir',`
>> + gen_require(`
>> + type mount_runtime_t;
>> + ')
>> +
>> + allow $1 mount_runtime_t:dir rw_dir_perms;
>> +')
>> +
>>
>
>
