[DSE-Dev] Bug#962238: selinux-policy-default: selinux prevents automounting sshfs
Maksim K.
debian_bug at k-max.name
Thu Jun 4 22:41:12 BST 2020
Package: selinux-policy-default
Version: 2:2.20161023.1-9
Severity: important
Dear Maintainer,
Problem describtion:
I set up automounting with sshfs. My selinux is in Enforcing mode.
When triggering the automount, it fails and a SELinux Security alert shows up:
***audit.log***
type=AVC msg=audit(1591302044.718:8608): avc: denied { execute } for pid=14500 comm="mount.fuse" name="dash" dev="vda1" ino=261652 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
***************
***syslog***
Jun 4 23:20:44 vps systemd[1]: mnt-maks.automount: Got automount request for /mnt/maks, triggered by 14498 (ls)
Jun 4 23:20:44 vps systemd[1]: Mounting /mnt/maks...
Jun 4 23:20:44 vps systemd[1]: mnt-maks.mount: Mount process exited, code=exited status=1
Jun 4 23:20:44 vps systemd[1]: Failed to mount /mnt/maks.
Jun 4 23:20:44 vps systemd[1]: mnt-maks.mount: Unit entered failed state.
************
When setting SELinux to permissive, the automounting with sshfs works as expected.
Environment description:
-- fstab
root at vps:~# grep ssh /etc/fstab
media:/vps/maks /mnt/maks fuse.sshfs noauto,x-systemd.automount,_netdev,users,allow_other,reconnect,ServerAliveInterval=15,ServerAliveCountMax=2 0 0
-- packages
ii sshfs 2.8-1
ii mount 2.29.2-1+deb9u1
How to reproduce with Enforcing mode:
root at vps:~# setenforce 1
root at vps:~# getenforce
Enforcing
root at vps:~# grep sshfs /etc/fstab
media:/vps/maks /mnt/maks fuse.sshfs noauto,x-systemd.automount,_netdev,users,allow_other,reconnect,ServerAliveInterval=15,ServerAliveCountMax=2 0 0
root at vps:~# systemctl daemon-reload
root at vps:~# systemctl list-unit-files --type=mount
UNIT FILE STATE
-.mount generated
boot-efi.mount generated
dev-hugepages.mount static
dev-mqueue.mount static
mnt-maks.mount generated
proc-sys-fs-binfmt_misc.mount static
sys-fs-fuse-connections.mount static
sys-kernel-config.mount static
sys-kernel-debug.mount static
9 unit files listed.
root at vps:~# systemctl list-unit-files --type=automount
UNIT FILE STATE
mnt-maks.automount generated
proc-sys-fs-binfmt_misc.automount static
2 unit files listed.
root at vps:~# systemctl restart mnt-maks.automount
root at vps:~# systemctl status mnt-maks.automount
● mnt-maks.automount
Loaded: loaded (/etc/fstab; generated; vendor preset: enabled)
Active: active (waiting) since Fri 2020-06-05 00:13:58 MSK; 6s ago
Where: /mnt/maks
Docs: man:fstab(5)
man:systemd-fstab-generator(8)
Jun 05 00:13:58 vps.k-max.name systemd[1]: Set up automount mnt-maks.automount.
root at vps:~#
root at vps:~# findmnt -u
TARGET SOURCE FSTYPE OPTIONS
/ /dev/vda1 ext4 rw,relatime,seclabel,data=ordered
├─/sys sysfs sysfs rw,nosuid,nodev,noexec,relatime,seclabel
│ ├─/sys/kernel/security securityfs securityfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/selinux selinuxfs selinuxfs rw,relatime
│ ├─/sys/fs/cgroup tmpfs tmpfs rw,seclabel,mode=755
│ │ ├─/sys/fs/cgroup/systemd cgroup cgroup rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd
│ │ ├─/sys/fs/cgroup/freezer cgroup cgroup rw,nosuid,nodev,noexec,relatime,freezer
│ │ ├─/sys/fs/cgroup/devices cgroup cgroup rw,nosuid,nodev,noexec,relatime,devices
│ │ ├─/sys/fs/cgroup/blkio cgroup cgroup rw,nosuid,nodev,noexec,relatime,blkio
│ │ ├─/sys/fs/cgroup/memory cgroup cgroup rw,nosuid,nodev,noexec,relatime,memory
│ │ ├─/sys/fs/cgroup/pids cgroup cgroup rw,nosuid,nodev,noexec,relatime,pids,release_agent=/run/cgmanager/agents/cgm-release-agent.pids
│ │ ├─/sys/fs/cgroup/cpu,cpuacct cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct
│ │ ├─/sys/fs/cgroup/cpuset cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpuset,clone_children
│ │ ├─/sys/fs/cgroup/net_cls,net_prio
│ │ │ cgroup cgroup rw,nosuid,nodev,noexec,relatime,net_cls,net_prio
│ │ └─/sys/fs/cgroup/perf_event cgroup cgroup rw,nosuid,nodev,noexec,relatime,perf_event,release_agent=/run/cgmanager/agents/cgm-release-agent.perf_event
│ ├─/sys/fs/pstore pstore pstore rw,nosuid,nodev,noexec,relatime,seclabel
│ ├─/sys/firmware/efi/efivars efivarfs efivarfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/kernel/debug debugfs debugfs rw,relatime,seclabel
│ │ └─/sys/kernel/debug/tracing tracefs tracefs rw,relatime
│ └─/sys/fs/fuse/connections fusectl fusectl rw,relatime
├─/proc proc proc rw,nosuid,nodev,noexec,relatime
│ └─/proc/sys/fs/binfmt_misc systemd-1 autofs rw,relatime,fd=25,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=9019
│ └─/proc/sys/fs/binfmt_misc binfmt_misc binfmt_misc
│ rw,relatime
├─/dev udev devtmpfs rw,nosuid,relatime,seclabel,size=497396k,nr_inodes=124349,mode=755
│ ├─/dev/pts devpts devpts rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000
│ ├─/dev/shm tmpfs tmpfs rw,nosuid,nodev,seclabel
│ ├─/dev/hugepages hugetlbfs hugetlbfs rw,relatime,seclabel
│ └─/dev/mqueue mqueue mqueue rw,relatime,seclabel
├─/run tmpfs tmpfs rw,nosuid,noexec,relatime,seclabel,size=101716k,mode=755
│ ├─/run/lock tmpfs tmpfs rw,nosuid,nodev,noexec,relatime,seclabel,size=5120k
│ └─/run/user/0 tmpfs tmpfs rw,nosuid,nodev,relatime,seclabel,size=101712k,mode=700
├─/boot/efi /dev/vda15 vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro
└─/mnt/maks systemd-1 autofs rw,relatime,fd=32,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=436445
root at vps:~#
root at vps:~# ls -la /mnt/maks/
ls: cannot access '/mnt/maks/': No such device
root at vps:~#
root at vps:~# mount -v /mnt/maks/
fuse: failed to open mountpoint for reading: No such device
root at vps:~# grep systemd /var/log/syslog | tail -15
Jun 5 00:09:28 vps systemd[1]: Started Clean php session files.
Jun 5 00:13:58 vps systemd[1]: Stopped target Remote File Systems.
Jun 5 00:13:58 vps systemd[1]: Stopping Remote File Systems.
Jun 5 00:13:58 vps systemd[1]: Set up automount mnt-maks.automount.
Jun 5 00:13:58 vps systemd[1]: Reached target Remote File Systems.
Jun 5 00:15:41 vps systemd[1]: mnt-maks.automount: Got automount request for /mnt/maks, triggered by 15816 (ls)
Jun 5 00:15:41 vps systemd[1]: Mounting /mnt/maks...
Jun 5 00:15:41 vps systemd[1]: mnt-maks.mount: Mount process exited, code=exited status=1
Jun 5 00:15:41 vps systemd[1]: Failed to mount /mnt/maks.
Jun 5 00:15:41 vps systemd[1]: mnt-maks.mount: Unit entered failed state.
Jun 5 00:16:07 vps systemd[1]: mnt-maks.automount: Got automount request for /mnt/maks, triggered by 15825 (sshfs)
Jun 5 00:16:07 vps systemd[1]: Mounting /mnt/maks...
Jun 5 00:16:07 vps systemd[1]: mnt-maks.mount: Mount process exited, code=exited status=1
Jun 5 00:16:07 vps systemd[1]: Failed to mount /mnt/maks.
Jun 5 00:16:07 vps systemd[1]: mnt-maks.mount: Unit entered failed state.
root at vps:~#tail -6 /var/log/audit/audit.log
type=AVC msg=audit(1591305341.115:8766): avc: denied { execute } for pid=15818 comm="mount.fuse" name="dash" dev="vda1" ino=261652 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1591305341.115:8766): arch=c000003e syscall=59 success=no exit=-13 a0=55b24f5f45fe a1=7ffc7f7e5df0 a2=55b24ffe8290 a3=7ffc7f7e5e90 items=0 ppid=15817 pid=15818 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount.fuse" exe="/sbin/mount.fuse" subj=system_u:system_r:mount_t:s0 key=(null)
type=PROCTITLE msg=audit(1591305341.115:8766): proctitle=2F7362696E2F6D6F756E742E66757365006D656469613A2F7670732F6D616B73002F6D6E742F6D616B73002D6F0072772C6E6F657865632C6E6F737569642C6E6F6465762C616C6C6F775F6F746865722C7265636F6E6E6563742C536572766572416C697665496E74657276616C3D31352C536572766572416C697665436F75
type=AVC msg=audit(1591305367.343:8767): avc: denied { execute } for pid=15827 comm="mount.fuse" name="dash" dev="vda1" ino=261652 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1591305367.343:8767): arch=c000003e syscall=59 success=no exit=-13 a0=563aecbfb5fe a1=7ffc8bda2be0 a2=563aed7ac290 a3=7ffc8bda2c80 items=0 ppid=15826 pid=15827 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount.fuse" exe="/sbin/mount.fuse" subj=system_u:system_r:mount_t:s0 key=(null)
type=PROCTITLE msg=audit(1591305367.343:8767): proctitle=2F7362696E2F6D6F756E742E66757365006D656469613A2F7670732F6D616B73002F6D6E742F6D616B73002D6F0072772C6E6F657865632C6E6F737569642C6E6F6465762C616C6C6F775F6F746865722C7265636F6E6E6563742C536572766572416C697665496E74657276616C3D31352C536572766572416C697665436F75
How it works in Permissive mode:
root at vps:~# setenforce 0
root at vps:~# getenforce
Permissive
root at vps:~# ls -la /mnt/maks/
total 2042940
drwxr-xr-x. 1 1003 1003 4096 May 31 02:30 .
drwxr-xr-x. 3 root root 4096 May 11 23:24 ..
-rw-r--r--. 1 1003 1003 610057 May 4 02:30 backup_2020-05-04.tar.bz2
-rw-r--r--. 1 1003 1003 0 May 4 22:42 test
root at vps:~# systemctl status mnt-maks.automount
● mnt-maks.automount
Loaded: loaded (/etc/fstab; generated; vendor preset: enabled)
Active: active (running) since Fri 2020-06-05 00:13:58 MSK; 15min ago
Where: /mnt/maks
Docs: man:fstab(5)
man:systemd-fstab-generator(8)
Jun 05 00:13:58 vps.k-max.name systemd[1]: Set up automount mnt-maks.automount.
Jun 05 00:15:41 vps.k-max.name systemd[1]: mnt-maks.automount: Got automount request for /mnt/maks, triggered by
Jun 05 00:16:07 vps.k-max.name systemd[1]: mnt-maks.automount: Got automount request for /mnt/maks, triggered by
Jun 05 00:28:58 vps.k-max.name systemd[1]: mnt-maks.automount: Got automount request for /mnt/maks, triggered by
root at vps:~# grep systemd /var/log/syslog | tail -3
Jun 5 00:28:58 vps systemd[1]: mnt-maks.automount: Got automount request for /mnt/maks, triggered by 15873 (ls)
Jun 5 00:28:58 vps systemd[1]: Mounting /mnt/maks...
Jun 5 00:28:58 vps systemd[1]: Mounted /mnt/maks.
root at vps:~#grep "mount\|avc" /var/log/audit/audit.log | tail -21
type=AVC msg=audit(1591306138.508:8782): avc: denied { execute } for pid=15875 comm="mount.fuse" name="dash" dev="vda1" ino=261652 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1591306138.508:8782): avc: denied { read open } for pid=15875 comm="mount.fuse" path="/bin/dash" dev="vda1" ino=261652 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1591306138.508:8782): avc: denied { execute_no_trans } for pid=15875 comm="mount.fuse" path="/bin/dash" dev="vda1" ino=261652 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1591306138.508:8782): arch=c000003e syscall=59 success=yes exit=0 a0=561013bbb5fe a1=7ffd56e6fc30 a2=5610144c1290 a3=7ffd56e6fcd0 items=0 ppid=15874 pid=15875 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/dash" subj=system_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1591306138.536:8783): avc: denied { execute } for pid=15879 comm="sshfs" name="ssh" dev="vda1" ino=131321 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1591306138.536:8783): avc: denied { read open } for pid=15879 comm="sshfs" path="/usr/bin/ssh" dev="vda1" ino=131321 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1591306138.536:8783): avc: denied { execute_no_trans } for pid=15879 comm="sshfs" path="/usr/bin/ssh" dev="vda1" ino=131321 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1591306138.536:8783): arch=c000003e syscall=59 success=yes exit=0 a0=7ffd0995a310 a1=555c42675fa0 a2=7ffd0995a848 a3=7f367aac4180 items=0 ppid=1 pid=15879 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh" exe="/usr/bin/ssh" subj=system_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1591306138.544:8784): avc: denied { read } for pid=15879 comm="ssh" name="config" dev="vda1" ino=1308331 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:ssh_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1591306138.544:8784): avc: denied { open } for pid=15879 comm="ssh" path="/root/.ssh/config" dev="vda1" ino=1308331 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:ssh_home_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1591306138.544:8784): arch=c000003e syscall=2 success=yes exit=3 a0=7ffdbce501f0 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=15879 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh" exe="/usr/bin/ssh" subj=system_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1591306138.548:8785): avc: denied { getattr } for pid=15879 comm="ssh" path="/root/.ssh/config" dev="vda1" ino=1308331 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:ssh_home_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1591306138.548:8785): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffdbce4fce0 a2=7ffdbce4fce0 a3=0 items=0 ppid=1 pid=15879 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh" exe="/usr/bin/ssh" subj=system_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1591306138.548:8786): avc: denied { read } for pid=15879 comm="ssh" name="urandom" dev="devtmpfs" ino=6508 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1591306138.548:8786): avc: denied { open } for pid=15879 comm="ssh" path="/dev/urandom" dev="devtmpfs" ino=6508 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1
type=SYSCALL msg=audit(1591306138.548:8786): arch=c000003e syscall=2 success=yes exit=3 a0=7fb8c63ffdfa a1=900 a2=7fb8c63ffc73 a3=69f items=0 ppid=1 pid=15879 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh" exe="/usr/bin/ssh" subj=system_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1591306139.852:8787): avc: denied { read } for pid=15876 comm="sshfs" path="pipe:[437193]" dev="pipefs" ino=437193 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:mount_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(1591306139.852:8788): avc: denied { write } for pid=15880 comm="sshfs" path="pipe:[437193]" dev="pipefs" ino=437193 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:mount_t:s0 tclass=fifo_file permissive=1
type=SYSCALL msg=audit(1591306139.852:8787): arch=c000003e syscall=0 success=yes exit=1 a0=5 a1=7ffd0995a42f a2=1 a3=7f367b8859d0 items=0 ppid=15875 pid=15876 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshfs" exe="/usr/bin/sshfs" subj=system_u:system_r:mount_t:s0 key=(null)
type=SYSCALL msg=audit(1591306139.852:8788): arch=c000003e syscall=1 success=yes exit=1 a0=6 a1=7ffd0995a42f a2=1 a3=7f367b885700 items=0 ppid=1 pid=15880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshfs" exe="/usr/bin/sshfs" subj=system_u:system_r:mount_t:s0 key=(null)
I have tried to enable this bool:
root at vps:~# semanage boolean -l | grep mount
allow_mount_anyfile (on , on) Allow the mount command to mount any directory or file.
xguest_mount_media (off , off) Determine whether xguest can mount removable media.
(reverse-i-search)`statu': cat /var/log/openvpn-^Catus.log.anton
root at vps:~# ls -al /mnt/maks/
ls: cannot access '/mnt/maks/': No such device
root at vps:~#
But it still does not work.
-- System Information:
Debian Release: 9.12
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-12-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages selinux-policy-default depends on:
ii libselinux1 2.6-3+b3
ii libsemanage1 2.6-2
ii libsepol1 2.6-2
ii policycoreutils 2.6-3
ii selinux-utils 2.6-3+b3
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.6-2
ii setools 4.0.1-6
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- no debconf information
More information about the SELinux-devel
mailing list