Package: selinux-policy-default Version: 2:2.20161023.1-9 Severity: important
Dear Maintainer, Problem describtion: I set up automounting with sshfs. My selinux is in Enforcing mode. When triggering the automount, it fails and a SELinux Security alert shows up: ***audit.log*** type=AVC msg=audit(1591302044.718:8608): avc: denied { execute } for pid=14500 comm="mount.fuse" name="dash" dev="vda1" ino=261652 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 *************** ***syslog*** Jun 4 23:20:44 vps systemd[1]: mnt-maks.automount: Got automount request for /mnt/maks, triggered by 14498 (ls) Jun 4 23:20:44 vps systemd[1]: Mounting /mnt/maks... Jun 4 23:20:44 vps systemd[1]: mnt-maks.mount: Mount process exited, code=exited status=1 Jun 4 23:20:44 vps systemd[1]: Failed to mount /mnt/maks. Jun 4 23:20:44 vps systemd[1]: mnt-maks.mount: Unit entered failed state. ************ When setting SELinux to permissive, the automounting with sshfs works as expected. Environment description: -- fstab root@vps:~# grep ssh /etc/fstab media:/vps/maks /mnt/maks fuse.sshfs noauto,x-systemd.automount,_netdev,users,allow_other,reconnect,ServerAliveInterval=15,ServerAliveCountMax=2 0 0 -- packages ii sshfs 2.8-1 ii mount 2.29.2-1+deb9u1 How to reproduce with Enforcing mode: root@vps:~# setenforce 1 root@vps:~# getenforce Enforcing root@vps:~# grep sshfs /etc/fstab media:/vps/maks /mnt/maks fuse.sshfs noauto,x-systemd.automount,_netdev,users,allow_other,reconnect,ServerAliveInterval=15,ServerAliveCountMax=2 0 0 root@vps:~# systemctl daemon-reload root@vps:~# systemctl list-unit-files --type=mount UNIT FILE STATE -.mount generated boot-efi.mount generated dev-hugepages.mount static dev-mqueue.mount static mnt-maks.mount generated proc-sys-fs-binfmt_misc.mount static sys-fs-fuse-connections.mount static sys-kernel-config.mount static sys-kernel-debug.mount static 9 unit files listed. root@vps:~# systemctl list-unit-files --type=automount UNIT FILE STATE mnt-maks.automount generated proc-sys-fs-binfmt_misc.automount static 2 unit files listed. root@vps:~# systemctl restart mnt-maks.automount root@vps:~# systemctl status mnt-maks.automount ● mnt-maks.automount Loaded: loaded (/etc/fstab; generated; vendor preset: enabled) Active: active (waiting) since Fri 2020-06-05 00:13:58 MSK; 6s ago Where: /mnt/maks Docs: man:fstab(5) man:systemd-fstab-generator(8) Jun 05 00:13:58 vps.k-max.name systemd[1]: Set up automount mnt-maks.automount. root@vps:~# root@vps:~# findmnt -u TARGET SOURCE FSTYPE OPTIONS / /dev/vda1 ext4 rw,relatime,seclabel,data=ordered ├─/sys sysfs sysfs rw,nosuid,nodev,noexec,relatime,seclabel │ ├─/sys/kernel/security securityfs securityfs rw,nosuid,nodev,noexec,relatime │ ├─/sys/fs/selinux selinuxfs selinuxfs rw,relatime │ ├─/sys/fs/cgroup tmpfs tmpfs rw,seclabel,mode=755 │ │ ├─/sys/fs/cgroup/systemd cgroup cgroup rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd │ │ ├─/sys/fs/cgroup/freezer cgroup cgroup rw,nosuid,nodev,noexec,relatime,freezer │ │ ├─/sys/fs/cgroup/devices cgroup cgroup rw,nosuid,nodev,noexec,relatime,devices │ │ ├─/sys/fs/cgroup/blkio cgroup cgroup rw,nosuid,nodev,noexec,relatime,blkio │ │ ├─/sys/fs/cgroup/memory cgroup cgroup rw,nosuid,nodev,noexec,relatime,memory │ │ ├─/sys/fs/cgroup/pids cgroup cgroup rw,nosuid,nodev,noexec,relatime,pids,release_agent=/run/cgmanager/agents/cgm-release-agent.pids │ │ ├─/sys/fs/cgroup/cpu,cpuacct cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct │ │ ├─/sys/fs/cgroup/cpuset cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpuset,clone_children │ │ ├─/sys/fs/cgroup/net_cls,net_prio │ │ │ cgroup cgroup rw,nosuid,nodev,noexec,relatime,net_cls,net_prio │ │ └─/sys/fs/cgroup/perf_event cgroup cgroup rw,nosuid,nodev,noexec,relatime,perf_event,release_agent=/run/cgmanager/agents/cgm-release-agent.perf_event │ ├─/sys/fs/pstore pstore pstore rw,nosuid,nodev,noexec,relatime,seclabel │ ├─/sys/firmware/efi/efivars efivarfs efivarfs rw,nosuid,nodev,noexec,relatime │ ├─/sys/kernel/debug debugfs debugfs rw,relatime,seclabel │ │ └─/sys/kernel/debug/tracing tracefs tracefs rw,relatime │ └─/sys/fs/fuse/connections fusectl fusectl rw,relatime ├─/proc proc proc rw,nosuid,nodev,noexec,relatime │ └─/proc/sys/fs/binfmt_misc systemd-1 autofs rw,relatime,fd=25,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=9019 │ └─/proc/sys/fs/binfmt_misc binfmt_misc binfmt_misc │ rw,relatime ├─/dev udev devtmpfs rw,nosuid,relatime,seclabel,size=497396k,nr_inodes=124349,mode=755 │ ├─/dev/pts devpts devpts rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000 │ ├─/dev/shm tmpfs tmpfs rw,nosuid,nodev,seclabel │ ├─/dev/hugepages hugetlbfs hugetlbfs rw,relatime,seclabel │ └─/dev/mqueue mqueue mqueue rw,relatime,seclabel ├─/run tmpfs tmpfs rw,nosuid,noexec,relatime,seclabel,size=101716k,mode=755 │ ├─/run/lock tmpfs tmpfs rw,nosuid,nodev,noexec,relatime,seclabel,size=5120k │ └─/run/user/0 tmpfs tmpfs rw,nosuid,nodev,relatime,seclabel,size=101712k,mode=700 ├─/boot/efi /dev/vda15 vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro └─/mnt/maks systemd-1 autofs rw,relatime,fd=32,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=436445 root@vps:~# root@vps:~# ls -la /mnt/maks/ ls: cannot access '/mnt/maks/': No such device root@vps:~# root@vps:~# mount -v /mnt/maks/ fuse: failed to open mountpoint for reading: No such device root@vps:~# grep systemd /var/log/syslog | tail -15 Jun 5 00:09:28 vps systemd[1]: Started Clean php session files. Jun 5 00:13:58 vps systemd[1]: Stopped target Remote File Systems. Jun 5 00:13:58 vps systemd[1]: Stopping Remote File Systems. Jun 5 00:13:58 vps systemd[1]: Set up automount mnt-maks.automount. Jun 5 00:13:58 vps systemd[1]: Reached target Remote File Systems. Jun 5 00:15:41 vps systemd[1]: mnt-maks.automount: Got automount request for /mnt/maks, triggered by 15816 (ls) Jun 5 00:15:41 vps systemd[1]: Mounting /mnt/maks... Jun 5 00:15:41 vps systemd[1]: mnt-maks.mount: Mount process exited, code=exited status=1 Jun 5 00:15:41 vps systemd[1]: Failed to mount /mnt/maks. Jun 5 00:15:41 vps systemd[1]: mnt-maks.mount: Unit entered failed state. Jun 5 00:16:07 vps systemd[1]: mnt-maks.automount: Got automount request for /mnt/maks, triggered by 15825 (sshfs) Jun 5 00:16:07 vps systemd[1]: Mounting /mnt/maks... Jun 5 00:16:07 vps systemd[1]: mnt-maks.mount: Mount process exited, code=exited status=1 Jun 5 00:16:07 vps systemd[1]: Failed to mount /mnt/maks. Jun 5 00:16:07 vps systemd[1]: mnt-maks.mount: Unit entered failed state. root@vps:~#tail -6 /var/log/audit/audit.log type=AVC msg=audit(1591305341.115:8766): avc: denied { execute } for pid=15818 comm="mount.fuse" name="dash" dev="vda1" ino=261652 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1591305341.115:8766): arch=c000003e syscall=59 success=no exit=-13 a0=55b24f5f45fe a1=7ffc7f7e5df0 a2=55b24ffe8290 a3=7ffc7f7e5e90 items=0 ppid=15817 pid=15818 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount.fuse" exe="/sbin/mount.fuse" subj=system_u:system_r:mount_t:s0 key=(null) type=PROCTITLE msg=audit(1591305341.115:8766): proctitle=2F7362696E2F6D6F756E742E66757365006D656469613A2F7670732F6D616B73002F6D6E742F6D616B73002D6F0072772C6E6F657865632C6E6F737569642C6E6F6465762C616C6C6F775F6F746865722C7265636F6E6E6563742C536572766572416C697665496E74657276616C3D31352C536572766572416C697665436F75 type=AVC msg=audit(1591305367.343:8767): avc: denied { execute } for pid=15827 comm="mount.fuse" name="dash" dev="vda1" ino=261652 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1591305367.343:8767): arch=c000003e syscall=59 success=no exit=-13 a0=563aecbfb5fe a1=7ffc8bda2be0 a2=563aed7ac290 a3=7ffc8bda2c80 items=0 ppid=15826 pid=15827 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount.fuse" exe="/sbin/mount.fuse" subj=system_u:system_r:mount_t:s0 key=(null) type=PROCTITLE msg=audit(1591305367.343:8767): proctitle=2F7362696E2F6D6F756E742E66757365006D656469613A2F7670732F6D616B73002F6D6E742F6D616B73002D6F0072772C6E6F657865632C6E6F737569642C6E6F6465762C616C6C6F775F6F746865722C7265636F6E6E6563742C536572766572416C697665496E74657276616C3D31352C536572766572416C697665436F75 How it works in Permissive mode: root@vps:~# setenforce 0 root@vps:~# getenforce Permissive root@vps:~# ls -la /mnt/maks/ total 2042940 drwxr-xr-x. 1 1003 1003 4096 May 31 02:30 . drwxr-xr-x. 3 root root 4096 May 11 23:24 .. -rw-r--r--. 1 1003 1003 610057 May 4 02:30 backup_2020-05-04.tar.bz2 -rw-r--r--. 1 1003 1003 0 May 4 22:42 test root@vps:~# systemctl status mnt-maks.automount ● mnt-maks.automount Loaded: loaded (/etc/fstab; generated; vendor preset: enabled) Active: active (running) since Fri 2020-06-05 00:13:58 MSK; 15min ago Where: /mnt/maks Docs: man:fstab(5) man:systemd-fstab-generator(8) Jun 05 00:13:58 vps.k-max.name systemd[1]: Set up automount mnt-maks.automount. Jun 05 00:15:41 vps.k-max.name systemd[1]: mnt-maks.automount: Got automount request for /mnt/maks, triggered by Jun 05 00:16:07 vps.k-max.name systemd[1]: mnt-maks.automount: Got automount request for /mnt/maks, triggered by Jun 05 00:28:58 vps.k-max.name systemd[1]: mnt-maks.automount: Got automount request for /mnt/maks, triggered by root@vps:~# grep systemd /var/log/syslog | tail -3 Jun 5 00:28:58 vps systemd[1]: mnt-maks.automount: Got automount request for /mnt/maks, triggered by 15873 (ls) Jun 5 00:28:58 vps systemd[1]: Mounting /mnt/maks... Jun 5 00:28:58 vps systemd[1]: Mounted /mnt/maks. root@vps:~#grep "mount\|avc" /var/log/audit/audit.log | tail -21 type=AVC msg=audit(1591306138.508:8782): avc: denied { execute } for pid=15875 comm="mount.fuse" name="dash" dev="vda1" ino=261652 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1591306138.508:8782): avc: denied { read open } for pid=15875 comm="mount.fuse" path="/bin/dash" dev="vda1" ino=261652 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1591306138.508:8782): avc: denied { execute_no_trans } for pid=15875 comm="mount.fuse" path="/bin/dash" dev="vda1" ino=261652 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1591306138.508:8782): arch=c000003e syscall=59 success=yes exit=0 a0=561013bbb5fe a1=7ffd56e6fc30 a2=5610144c1290 a3=7ffd56e6fcd0 items=0 ppid=15874 pid=15875 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/dash" subj=system_u:system_r:mount_t:s0 key=(null) type=AVC msg=audit(1591306138.536:8783): avc: denied { execute } for pid=15879 comm="sshfs" name="ssh" dev="vda1" ino=131321 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1591306138.536:8783): avc: denied { read open } for pid=15879 comm="sshfs" path="/usr/bin/ssh" dev="vda1" ino=131321 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1591306138.536:8783): avc: denied { execute_no_trans } for pid=15879 comm="sshfs" path="/usr/bin/ssh" dev="vda1" ino=131321 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1591306138.536:8783): arch=c000003e syscall=59 success=yes exit=0 a0=7ffd0995a310 a1=555c42675fa0 a2=7ffd0995a848 a3=7f367aac4180 items=0 ppid=1 pid=15879 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh" exe="/usr/bin/ssh" subj=system_u:system_r:mount_t:s0 key=(null) type=AVC msg=audit(1591306138.544:8784): avc: denied { read } for pid=15879 comm="ssh" name="config" dev="vda1" ino=1308331 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:ssh_home_t:s0 tclass=file permissive=1 type=AVC msg=audit(1591306138.544:8784): avc: denied { open } for pid=15879 comm="ssh" path="/root/.ssh/config" dev="vda1" ino=1308331 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:ssh_home_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1591306138.544:8784): arch=c000003e syscall=2 success=yes exit=3 a0=7ffdbce501f0 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=15879 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh" exe="/usr/bin/ssh" subj=system_u:system_r:mount_t:s0 key=(null) type=AVC msg=audit(1591306138.548:8785): avc: denied { getattr } for pid=15879 comm="ssh" path="/root/.ssh/config" dev="vda1" ino=1308331 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:ssh_home_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1591306138.548:8785): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffdbce4fce0 a2=7ffdbce4fce0 a3=0 items=0 ppid=1 pid=15879 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh" exe="/usr/bin/ssh" subj=system_u:system_r:mount_t:s0 key=(null) type=AVC msg=audit(1591306138.548:8786): avc: denied { read } for pid=15879 comm="ssh" name="urandom" dev="devtmpfs" ino=6508 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1591306138.548:8786): avc: denied { open } for pid=15879 comm="ssh" path="/dev/urandom" dev="devtmpfs" ino=6508 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1 type=SYSCALL msg=audit(1591306138.548:8786): arch=c000003e syscall=2 success=yes exit=3 a0=7fb8c63ffdfa a1=900 a2=7fb8c63ffc73 a3=69f items=0 ppid=1 pid=15879 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh" exe="/usr/bin/ssh" subj=system_u:system_r:mount_t:s0 key=(null) type=AVC msg=audit(1591306139.852:8787): avc: denied { read } for pid=15876 comm="sshfs" path="pipe:[437193]" dev="pipefs" ino=437193 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:mount_t:s0 tclass=fifo_file permissive=1 type=AVC msg=audit(1591306139.852:8788): avc: denied { write } for pid=15880 comm="sshfs" path="pipe:[437193]" dev="pipefs" ino=437193 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:mount_t:s0 tclass=fifo_file permissive=1 type=SYSCALL msg=audit(1591306139.852:8787): arch=c000003e syscall=0 success=yes exit=1 a0=5 a1=7ffd0995a42f a2=1 a3=7f367b8859d0 items=0 ppid=15875 pid=15876 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshfs" exe="/usr/bin/sshfs" subj=system_u:system_r:mount_t:s0 key=(null) type=SYSCALL msg=audit(1591306139.852:8788): arch=c000003e syscall=1 success=yes exit=1 a0=6 a1=7ffd0995a42f a2=1 a3=7f367b885700 items=0 ppid=1 pid=15880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshfs" exe="/usr/bin/sshfs" subj=system_u:system_r:mount_t:s0 key=(null) I have tried to enable this bool: root@vps:~# semanage boolean -l | grep mount allow_mount_anyfile (on , on) Allow the mount command to mount any directory or file. xguest_mount_media (off , off) Determine whether xguest can mount removable media. (reverse-i-search)`statu': cat /var/log/openvpn-^Catus.log.anton root@vps:~# ls -al /mnt/maks/ ls: cannot access '/mnt/maks/': No such device root@vps:~# But it still does not work. -- System Information: Debian Release: 9.12 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-12-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages selinux-policy-default depends on: ii libselinux1 2.6-3+b3 ii libsemanage1 2.6-2 ii libsepol1 2.6-2 ii policycoreutils 2.6-3 ii selinux-utils 2.6-3+b3 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.6-2 ii setools 4.0.1-6 Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- no debconf information