LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   SELinux Message when trying automount/autofs (https://www.linuxquestions.org/questions/linux-security-4/selinux-message-when-trying-automount-autofs-572402/)

louisb 07-26-2007 07:49 AM
SELinux Message when trying automount/autofs
 
I'm trying to perform an automount for the very first time on a Red Hat Linux Enterprise 5 workstation. I've modified the "auto.master" and restarted "autofs". When I attempt to peform a cd on the automounted device I get the following message:

SummarySELinux is preventing /usr/sbin/automount (automount_t) "mounton" access to /home/users (user_home_dir_t).Detailed DescriptionSELinux denied access requested by /usr/sbin/automount. It is not expected that this access is required by /usr/sbin/automount and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a bug report against this package.Allowing AccessSometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /home/users, restorecon -v /home/users. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ - or you can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a bug report against this package. Changing the "automount_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P automount_disable_trans=1."The following command will allow this access:setsebool -P automount_disable_trans=1Additional InformationSource Context: root:system_r:automount_tTarget Context: root:object_r:user_home_dir_tTarget Objects: /home/users [ dir ]Affected RPM Packages: autofs-5.0.1-0.rc2.42 [application]Policy RPM: selinux-policy-2.4.6-30.el5Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: plugins.disable_transHost Name: localhost.localdomainPlatform: Linux localhost.localdomain 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686

Alert Count: 1Line Numbers: Raw Audit Messages :avc: denied { mounton } for comm="automount" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/automount" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="users" path="/home/users" pid=4713 scontext=root:system_r:automount_t:s0 sgid=0 subj=root:system_r:automount_t:s0 suid=0 tclass=dir tcontext=root:object_r:user_home_dir_t:s0 tty=(none) uid=0

Can anyone tell me what is happing here? I did execute the suggest command to disable SELinux however, I'm not comfortable with it because I'd like to have as much security as possible. Since I do travel and I'm learning Linux for the first time.

Thank

unSpawn 07-28-2007 04:27 AM
I did execute the suggest command to disable SELinux
You mean the automount_disable_trans boolean? Or all of SELinux? Next to that it says "Instead, you can generate a local policy module to allow this access", so check out 'audit2allow'. Since you use FC5 you need to install the selinux-policy-$POLICYTYPE-sources, run "cat /var/log/messages | audit2allow > /etc/selinux/$POLICYTYPE/src/policy/domains/misc/custom.te then "make -C /etc/selinux/$POLICYTYPE/src/policy load". That should work.


All times are GMT -5. The time now is 04:22 PM.