SELinux is preventing (-userdbd) from remount access on the filesystem

Running Fedora-33 Server connected to freeipa I am getting the following message multiple times. Selinux is in permissive mode now so I can try to find the issue.


setroubleshoot[19251]: SELinux is preventing (-userdbd) from remount access on the filesystem . For complete SELinux messages run: sealert -l 8aae00eb-7e96-4d10-99aa-83de15990002

OUTPUT

SELinux is preventing (-userdbd) from remount access on the filesystem .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that (-userdbd) should be allowed remount access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(-userdbd)' --raw | audit2allow -M my-userdbd
# semodule -X 300 -i my-userdbd.pp

Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:httpd_sys_content_t:s0
Target Objects [ filesystem ]
Source (-userdbd)
Source Path (-userdbd)
Port
Host pi.thillo.lan
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.6-29.fc33.noarch
Local Policy RPM selinux-policy-targeted-3.14.6-29.fc33.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name pi.thillo.lan
Platform Linux pi.thillo.lan 5.8.17-300.fc33.aarch64 #1 SMP
Thu Oct 29 15:47:23 UTC 2020 aarch64 aarch64
Alert Count 74
First Seen 2020-10-28 10:26:58 CET
Last Seen 2020-11-06 07:39:18 CET
Local ID 8aae00eb-7e96-4d10-99aa-83de15990002

Raw Audit Messages
type=AVC msg=audit(1604644758.437:3964): avc:  denied  { remount } for  pid=19230 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=filesystem permissive=1

Hash: (-userdbd),init_t,httpd_sys_content_t,filesystem,remount


Does anyone know how I can do further debugging or point me to a possible solution?

1 Like

If there’s no appropriate SELinux boolean, then you should follow the suggestions given in the output of sealert, i.e. create an exception policy and/or file a bug.

Thanks. I found the cause. I mounted an nfs filesystem with the httpd_sys_content_t selinux context for apache httpd to access the data.
Now I mounted it the normal way (nfs_t) and set the selinux boolean httpd_use_nfs to allow it to access the data.
The selinux message disappeared and I am now able to start the system in enforcing mode again.

1 Like