12 Alpha: SELinux Denials After putting install.img on USB Stick

Robert L Cochran cochranb at speakeasy.net
Sun Aug 30 14:16:05 UTC 2009 

Last night, I downloaded the installation DVD for Fedora 12 x86_64. 
Checked the sha256sum of the iso file, then mounted it on my web server 
and extracted the file install.img from the images directory. Then 
plugged in my USB stick and used dd as root to write install.img to the 
stick like so:

[root at deafeng3 Fedora-12-Alpha-x86_64-DVD]# dd if=install.img of=/dev/sdb
239392+0 records in
239392+0 records out
122568704 bytes (123 MB) copied, 2.40894 s, 50.9 MB/s
[root at deafeng3 Fedora-12-Alpha-x86_64-DVD]# umount /dev/sdb1

Then I unplugged the USB stick and plugged it in again to the same USB 
port, just so I could check on whether I did the dd correctly. I got the 
following in /var/log/messages:

Aug 30 09:44:17 deafeng3 kernel: usb 2-1: new high speed USB device 
using ehci_hcd and address 3
Aug 30 09:44:17 deafeng3 kernel: usb 2-1: New USB device found, 
idVendor=1307, idProduct=0163
Aug 30 09:44:17 deafeng3 kernel: usb 2-1: New USB device strings: Mfr=1, 
Product=2, SerialNumber=3
Aug 30 09:44:17 deafeng3 kernel: usb 2-1: Product: Flash Disk
Aug 30 09:44:17 deafeng3 kernel: usb 2-1: Manufacturer: USB 2.0
Aug 30 09:44:17 deafeng3 kernel: usb 2-1: SerialNumber: a751edc7217524
Aug 30 09:44:17 deafeng3 kernel: usb 2-1: configuration #1 chosen from 1 
choice
Aug 30 09:44:17 deafeng3 kernel: scsi7 : SCSI emulation for USB Mass 
Storage devices
Aug 30 09:44:22 deafeng3 kernel: scsi 7:0:0:0: Direct-Access     USB 
2.0  Flash Disk       0.00 PQ: 0 ANSI: 2
Aug 30 09:44:22 deafeng3 kernel: sd 7:0:0:0: [sdb] 1974271 512-byte 
hardware sectors: (1.01 GB/963 MiB)
Aug 30 09:44:22 deafeng3 kernel: sd 7:0:0:0: [sdb] Write Protect is off
Aug 30 09:44:22 deafeng3 kernel: sd 7:0:0:0: [sdb] Assuming drive cache: 
write through
Aug 30 09:44:22 deafeng3 kernel: sd 7:0:0:0: [sdb] 1974271 512-byte 
hardware sectors: (1.01 GB/963 MiB)
Aug 30 09:44:22 deafeng3 kernel: sd 7:0:0:0: [sdb] Write Protect is off
Aug 30 09:44:22 deafeng3 kernel: sd 7:0:0:0: [sdb] Assuming drive cache: 
write through
Aug 30 09:44:22 deafeng3 kernel: sdb: unknown partition table
Aug 30 09:44:22 deafeng3 kernel: sd 7:0:0:0: [sdb] Attached SCSI 
removable disk
Aug 30 09:44:22 deafeng3 kernel: sd 7:0:0:0: Attached scsi generic sg2 
type 0
Aug 30 09:44:22 deafeng3 kernel: squashfs: version 4.0 (2009/01/31) 
Phillip Lougher
Aug 30 09:44:27 deafeng3 setroubleshoot: SELinux is preventing mount 
(mount_t) "mount" unlabeled_t. For complete SELinux messages. run 
sealert -l 57d3e63a-f463-4a19-afd0-fab8cbaf8a3a
Aug 30 09:44:27 deafeng3 setroubleshoot: SELinux is preventing mount 
(mount_t) "mount" unlabeled_t. For complete SELinux messages. run 
sealert -l 57d3e63a-f463-4a19-afd0-fab8cbaf8a3a

Running sealert as requested yields this:

----------------------------------------------------------------------------------------------------------------------------------

[rlc at deafeng3 Fedora-12-Alpha-x86_64-DVD]$ sealert -l 
57d3e63a-f463-4a19-afd0-fab8cbaf8a3a

Summary:

SELinux is preventing mount (mount_t) "mount" unlabeled_t.

Detailed Description:

SELinux denied access requested by mount. It is not expected that this 
access is
required by mount and this access may signal an intrusion attempt. It is 
also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can 
disable
SELinux protection altogether. Disabling SELinux protection is not 
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:mount_t:s0-s0:c0.c1023
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                / [ filesystem ]
Source                        mount
Source Path                   /bin/mount
Port <Unknown>
Host                          deafeng3.signtype.info
Source RPM Packages           util-linux-ng-2.14.2-9.fc11
Target RPM Packages           filesystem-2.4.21-1.fc11
Policy RPM                    selinux-policy-3.6.12-80.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     deafeng3.signtype.info
Platform                      Linux deafeng3.signtype.info
                               2.6.29.6-217.2.16.fc11.x86_64 #1 SMP Mon 
Aug 24
                               17:17:40 EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Sun Aug 30 09:44:22 2009
Last Seen                     Sun Aug 30 09:44:22 2009
Local ID                      57d3e63a-f463-4a19-afd0-fab8cbaf8a3a
Line Numbers

Raw Audit Messages

node=deafeng3.signtype.info type=AVC msg=audit(1251639862.705:34): avc:  
denied  { mount } for  pid=5398 comm="mount" name="/" dev=sdb ino=743 
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem

node=deafeng3.signtype.info type=SYSCALL msg=audit(1251639862.705:34): 
arch=c000003e syscall=165 success=no exit=-13 a0=7f974bd1a930 
a1=7f974bd1a950 a2=7f974bd1a970 a3=ffffffffc0ed0007 items=0 ppid=3041 
pid=5398 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" 
subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)

------------------------------------------------------------------------------------------------

Any ideas about whether this will be a problem for purposes of 
installing Fedora 12 on a brand new hard drive?

Thanks

Bob Cochran
Greenbelt, Maryland, USA

More information about the fedora-test-list mailing list