| View previous topic :: View next topic |
| Author |
Message |
crystall
n00b
Joined: 31 Aug 2004
Posts: 15
|
 Posted: Fri Sep 09, 2016 8:30 am Post subject: [SOLVED] Mounting external drives with selinux enabled |
 |
|
I've got a desktop configuration with selinux enabled (basically the default/linux/amd64/13.0/desktop profile together features/selinux). I use Xfce for my DE and after quite a bit of tweaking the default policy using audit2allow (and setting a few booleans) I'veI managed to get a usable system. That's until recently when mounting external drives stopped working, with these lines like these ones showing up in the audit log:
| Code: | type=AVC msg=audit(1473406626.101:75): avc: denied { getattr } for pid=2150 comm="udisksd" path="/dev/sda5" dev="devtmpfs" ino=7958 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
type=AVC msg=audit(1473406711.057:108): avc: denied { write } for pid=2731 comm="mount.ntfs-3g" name="sdd1" dev="devtmpfs" ino=11135 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
type=AVC msg=audit(1473407225.910:149): avc: denied { read } for pid=5265 comm="pool" name="sdb" dev="devtmpfs" ino=9217 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 |
Piping the logs in audit2allow yields the following rules among others:
| Code: | allow system_dbusd_t fixed_disk_device_t:blk_file { getattr ioctl lock open read write };
allow system_dbusd_t removable_device_t:blk_file { ioctl open read }; |
Unfortunately, both of them are explicitly forbidden by the default policies so in order to have a functioning system I had to switch to permissive mode. I've tried relabeling the entire filesystem but it doesn't seem to help. I've also double-checked that I'm in the right groups recommended by the installation guide (plugdev, usb) so I'm not sure what I'm doing wrong.
Kernel is gentoo-sources-4.4.6 with the appropriate selinux options enabled. I can attach the full logs & configuration if that helps but they're large and I've tried to deviate as little as possible from the default recommendations of the installation guide.
Last edited by crystall on Sat Oct 01, 2016 8:19 pm; edited 1 time in total |
|
| Back to top |
|
 |
crystall
n00b
Joined: 31 Aug 2004
Posts: 15
|
| Posted: Sat Oct 01, 2016 8:18 pm Post subject: |
|
|
I've solved the issue. Turns out it's a bug in the selinux-base package; the udisksd daemon is not labeled correctly and this caused the AVC denials while trying to mount drives. I've filed bug 595820 to address it. In the meantime this can be fixed by adding the following entry to /etc/selinux/targeted/contexts/files/file_contexts.local:
| Code: | | /usr/libexec/udisks2/udisksd -- system_u:object_r:devicekit_disk_exec_t |
And then resetting the labels with the following command:
| Code: | | restorecon -rvF /usr/libexec/udisks2/ |
|
|
| Back to top |
|
|
|
Networking & Security
