I've recently had issues mounting drives with selinux enabled. The audit log would show a significant amount of AVC denials related to udisksd. Converting them with audit2allow didn't yield any useful result since a few of them where neverallow rules in the base policy. After digging further I've noticed that /etc/selinux/targeted/contexts/files/file_contexts contained the following entries: /lib/udisks2/udisksd -- system_u:object_r:devicekit_disk_exec_t /usr/lib/udisks2/udisksd -- system_u:object_r:devicekit_disk_exec_t Neither of which points to udisksd which is located at /usr/libexec/udisks2/udisksd I've tried adding this line to file_contexts.local and the problem disappears entirely, allowing me to mount drives without any AVC denial: /usr/libexec/udisks2/udisksd -- system_u:object_r:devicekit_disk_exec_t It's probably just a matter of fixing it in the package so that the entry in file_contexts is correct. Reproducible: Always Steps to Reproduce: I've got a Xfce desktop installation using the desktop and selinux profiles together. Default configuration was used for all the components involved (thunar, udisksd, etc...). Actual Results: Trying to mount a USB key or another local volume from the desktop would fail due to AVC denials related to udisksd.
Created attachment 449738 [details, diff] [PATCH] Properly label the udisksd executable This is a patch done against hardened-refpolicy's master branch which properly labels the udisksd executable thus solving the issue.
Created attachment 449740 [details, diff] [PATCH] Properly label the udisksd executable Wrong patch, this is the right one, sorry for the noise.
Created attachment 449742 [details, diff] [PATCH] Properly label the udisksd executable Ugh, I should have drunk more coffee this morning. This is the right one, sorry again for the noise.
CC'ing one of the maintainers,
This is already fixed in the last stable version of selinux-base (2.20161023-r3) so I think the bug can be closed.
Yup indeed, forgotten to resolve the bug after stabilization of r2.