Bug 1565293

Summary: autofs issue for /net mount : Too many levels of symbolic links
Product: [Fedora] Fedora Reporter: Pierre-Francois RENARD <pfrenard>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: airlied, bfields, bskeggs, ewk, hdegoede, ichavero, ikent, itamar, jarodwilson, jglisse, jlayton, john.j5live, jonathan, josef, kernel-maint, linville, mchehab, mjg59, pfrenard, samuel-rhbugs, steved
Target Milestone: ---Flags: jforbes: needinfo?
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1575343 (view as bug list) Environment:
Last Closed: 2018-08-29 15:06:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1575343    
Attachments:
Description Flags
Patch - autofs - mount point create should honour passed in mode none

Description Pierre-Francois RENARD 2018-04-09 19:38:09 UTC 
Description of problem:
autofs is not able to mount any exports into /net
cd <nfsserver> gives 
-bash: cd: <nfsserver>: Too many levels of symbolic links




Version-Release number of selected component (if applicable):
Fedora 28 - aarch64
kernel 4.16.0-300.fc28.aarch64
autofs 5.1.4-16

How reproducible:
each time

Steps to Reproduce:
1. configure autofs to enable /net and restart it
2. cd /net/<nfsserver>
3.

Actual results:
-bash: cd: <nfsserver>: Too many levels of symbolic links

Expected results:
change directory to /net/<nfsserver>

Additional info:
it may be an bad interraction with selinux.
changing SELinux from "enforcing" to "permissive" solves the issue

logs from journalctl 
Apr 09 21:34:48 pi11.intranet.net automount[1988]: handle_packet: type = 3
Apr 09 21:34:48 pi11.intranet.net automount[1988]: handle_packet_missing_indirect: token 159, name syno01, request pid 1285
Apr 09 21:34:48 pi11.intranet.net automount[1988]: attempting to mount entry /net/syno01
Apr 09 21:34:48 pi11.intranet.net automount[1988]: lookup_mount: lookup(hosts): syno01 -> (null)
Apr 09 21:34:48 pi11.intranet.net automount[1988]: get_exports: lookup(hosts): fetchng export list for syno01
Apr 09 21:34:48 pi11.intranet.net automount[1988]: parse_mount: parse(sun): expanded entry: "/volume1/data" "syno01:/volume1/data"
Apr 09 21:34:48 pi11.intranet.net automount[1988]: parse_mount: parse(sun): gathered options:
Apr 09 21:34:48 pi11.intranet.net automount[1988]: parse_mount: parse(sun): dequote(""/volume1/data"") -> /volume1/data
Apr 09 21:34:48 pi11.intranet.net automount[1988]: parse_mapent: parse(sun): gathered options:
Apr 09 21:34:48 pi11.intranet.net automount[1988]: parse_mapent: parse(sun): dequote(""syno01:/volume1/data"") -> syno01:/volume1/data
Apr 09 21:34:48 pi11.intranet.net automount[1988]: update_offset_entry: parse(sun): updated multi-mount offset /volume1/data -> syno01:/volume1/data
Apr 09 21:34:48 pi11.intranet.net automount[1988]: do_mount_autofs_offset: mount offset /net/syno01/volume1/data at /net/syno01
Apr 09 21:34:48 pi11.intranet.net audit[1988]: AVC avc:  denied  { dac_override } for  pid=1988 comm="automount" capability=1  scontext=system_u:system_r:automount_t:s0 tcontext=system_u:system_r:automount_t:s0 tclass=capability permissive=0
Apr 09 21:34:48 pi11.intranet.net automount[1988]: mount_autofs_offset: can't create mount directory: /net/syno01/volume1/data, Permission denied
Apr 09 21:34:48 pi11.intranet.net automount[1988]: failed to mount offset
Apr 09 21:34:48 pi11.intranet.net automount[1988]: dev_ioctl_send_ready: token = 159
Apr 09 21:34:48 pi11.intranet.net automount[1988]: mounted /net/syno01
Apr 09 21:34:48 pi11.intranet.net automount[1988]: handle_packet: type = 3
Apr 09 21:34:48 pi11.intranet.net automount[1988]: handle_packet_missing_indirect: token 160, name syno01, request pid 1285
Apr 09 21:34:48 pi11.intranet.net automount[1988]: attempting to mount entry /net/syno01
Apr 09 21:34:48 pi11.intranet.net automount[1988]: lookup_mount: lookup(hosts): syno01 -> (null)
Apr 09 21:34:48 pi11.intranet.net automount[1988]: get_exports: lookup(hosts): fetchng export list for syno01
Apr 09 21:34:48 pi11.intranet.net automount[1988]: parse_mount: parse(sun): expanded entry: "/volume1/data" "syno01:/volume1/data"
Apr 09 21:34:48 pi11.intranet.net automount[1988]: parse_mount: parse(sun): gathered options:
Apr 09 21:34:48 pi11.intranet.net automount[1988]: parse_mount: parse(sun): dequote(""/volume1/data"") -> /volume1/data
Apr 09 21:34:48 pi11.intranet.net automount[1988]: parse_mapent: parse(sun): gathered options:
Apr 09 21:34:48 pi11.intranet.net automount[1988]: parse_mapent: parse(sun): dequote(""syno01:/volume1/data"") -> syno01:/volume1/data
Apr 09 21:34:48 pi11.intranet.net automount[1988]: duplcate offset detected for key /net/syno01/volume1/data
Apr 09 21:34:48 pi11.intranet.net automount[1988]: map entry updated with: syno01:/volume1/data
Apr 09 21:34:48 pi11.intranet.net automount[1988]: parse(sun): syntax error or duplicate offset /volume1/data -> syno01:/volume1/data
Apr 09 21:34:48 pi11.intranet.net automount[1988]: do_mount_autofs_offset: mount offset /net/syno01/volume1/data at /net/syno01
Apr 09 21:34:48 pi11.intranet.net audit[1988]: AVC avc:  denied  { dac_override } for  pid=1988 comm="automount" capability=1  scontext=system_u:system_r:automount_t:s0 tcontext=system_u:system_r:automount_t:s0 tclass=capability permissive=0
Apr 09 21:34:48 pi11.intranet.net automount[1988]: mount_autofs_offset: can't create mount directory: /net/syno01/volume1/data, Permission denied
Apr 09 21:34:48 pi11.intranet.net automount[1988]: failed to mount offset
Apr 09 21:34:48 pi11.intranet.net automount[1988]: dev_ioctl_send_ready: token = 160
Apr 09 21:34:48 pi11.intranet.net automount[1988]: mounted /net/syno01
Comment 1 Steve Dickson 2018-04-09 19:46:02 UTC 
Changing Component autofs...
Comment 2 Ian Kent 2018-04-10 01:04:01 UTC 
It looks a lot like an selinux problem to me.

Presumably the /net directory was created ok and the autofs
mount done at /net otherwise there woun't have been a callback.

Can you post the whole log so I can be sure though.

Also post a listing of /net itself and its contents.
Comment 3 Ian Kent 2018-04-10 02:09:25 UTC 
(In reply to Ian Kent from comment #2)
> 
> Also post a listing of /net itself and its contents.

I should have said a long listing, ie. "ls -l" of each of these.
Comment 4 Ian Kent 2018-04-10 02:21:22 UTC 
(In reply to Ian Kent from comment #3)
> (In reply to Ian Kent from comment #2)
> > 
> > Also post a listing of /net itself and its contents.
> 
> I should have said a long listing, ie. "ls -l" of each of these.

Come to think of it there's more we need to check.

If the /net directory already existed autofs won't remove it and
re-create it.

I'm wondering if /net has been previously created with permissions
that cause the more strict selinux policy to reject the mount point
directory create and it hasn't been re-created by automount since.

So can you stop autofs, ensure there is no mount on /net at all.
Manually umount them if necessary, then do an "ls -l" to check
the permissions.

After this, and assuming there is nothing mounted on /net and
that it does exist, do an "rm -rf /net" and start autofs again.
Comment 5 Pierre-Francois RENARD 2018-04-10 13:55:53 UTC 
(In reply to Ian Kent from comment #4)
> (In reply to Ian Kent from comment #3)
> > (In reply to Ian Kent from comment #2)
> > > 
> > > Also post a listing of /net itself and its contents.
> > 
> > I should have said a long listing, ie. "ls -l" of each of these.
> 
> Come to think of it there's more we need to check.
> 
> If the /net directory already existed autofs won't remove it and
> re-create it.
> 
> I'm wondering if /net has been previously created with permissions
> that cause the more strict selinux policy to reject the mount point
> directory create and it hasn't been re-created by automount since.
> 
> So can you stop autofs, ensure there is no mount on /net at all.
> Manually umount them if necessary, then do an "ls -l" to check
> the permissions.
> 
> After this, and assuming there is nothing mounted on /net and
> that it does exist, do an "rm -rf /net" and start autofs again.

OK
1/ if /net is not present autofs will not create it !
here the logs
Apr 10 15:50:25 pi11.intranet.net systemd[1]: Starting Automounts filesystems on demand...
Apr 10 15:50:25 pi11.intranet.net automount[1477]: Starting automounter version 5.1.4-16.fc28, master map auto.master
Apr 10 15:50:25 pi11.intranet.net automount[1477]: using kernel protocol version 5.02
Apr 10 15:50:25 pi11.intranet.net automount[1477]: lookup_nss_read_master: reading master sss auto.master
Apr 10 15:50:25 pi11.intranet.net automount[1477]: do_init: parse(sun): init gathered global options: vers=3
Apr 10 15:50:25 pi11.intranet.net automount[1477]: setautomntent: lookup(sss): setautomntent: No such file or directory
Apr 10 15:50:25 pi11.intranet.net automount[1477]: lookup_nss_read_master: auto.master not found, replacing '.' with '_'
Apr 10 15:50:25 pi11.intranet.net automount[1477]: do_init: parse(sun): init gathered global options: vers=3
Apr 10 15:50:25 pi11.intranet.net automount[1477]: setautomntent: lookup(sss): setautomntent: No such file or directory
Apr 10 15:50:25 pi11.intranet.net automount[1477]: lookup_nss_read_master: no map - continuing to next source
Apr 10 15:50:25 pi11.intranet.net automount[1477]: lookup_nss_read_master: reading master files auto.master
Apr 10 15:50:25 pi11.intranet.net automount[1477]: do_init: parse(sun): init gathered global options: vers=3
Apr 10 15:50:25 pi11.intranet.net automount[1477]: lookup_read_master: lookup(file): read entry /misc
Apr 10 15:50:25 pi11.intranet.net automount[1477]: lookup_read_master: lookup(file): read entry /net
Apr 10 15:50:25 pi11.intranet.net automount[1477]: lookup_read_master: lookup(file): read entry +dir:/etc/auto.master.d
Apr 10 15:50:25 pi11.intranet.net automount[1477]: lookup_nss_read_master: reading master dir /etc/auto.master.d
Apr 10 15:50:25 pi11.intranet.net automount[1477]: lookup_read_master: lookup(dir): scandir: /etc/auto.master.d
Apr 10 15:50:25 pi11.intranet.net automount[1477]: lookup_read_master: lookup(file): read entry +auto.master
Apr 10 15:50:25 pi11.intranet.net automount[1477]: lookup_nss_read_master: reading master sss auto.master
Apr 10 15:50:25 pi11.intranet.net automount[1477]: do_init: parse(sun): init gathered global options: vers=3
Apr 10 15:50:25 pi11.intranet.net automount[1477]: setautomntent: lookup(sss): setautomntent: No such file or directory
Apr 10 15:50:25 pi11.intranet.net automount[1477]: lookup_nss_read_master: no map - continuing to next source
Apr 10 15:50:25 pi11.intranet.net automount[1477]: lookup_nss_read_master: reading master files auto.master
Apr 10 15:50:25 pi11.intranet.net automount[1477]: do_init: parse(sun): init gathered global options: vers=3
Apr 10 15:50:25 pi11.intranet.net automount[1477]: master_do_mount: mounting /misc
Apr 10 15:50:25 pi11.intranet.net automount[1477]: automount_path_to_fifo: fifo name /run/autofs.fifo-misc
Apr 10 15:50:25 pi11.intranet.net automount[1477]: lookup_nss_read_map: reading map file /etc/auto.misc
Apr 10 15:50:25 pi11.intranet.net automount[1477]: do_init: parse(sun): init gathered global options: vers=3
Apr 10 15:50:25 pi11.intranet.net automount[1477]: mounted indirect on /misc with timeout 300, freq 75 seconds
Apr 10 15:50:25 pi11.intranet.net automount[1477]: st_ready: st_ready(): state = 0 path /misc
Apr 10 15:50:25 pi11.intranet.net automount[1477]: master_do_mount: mounting /net
Apr 10 15:50:25 pi11.intranet.net automount[1477]: automount_path_to_fifo: fifo name /run/autofs.fifo-net
Apr 10 15:50:25 pi11.intranet.net automount[1477]: lookup_nss_read_map: reading map hosts (null)
Apr 10 15:50:25 pi11.intranet.net automount[1477]: do_init: parse(sun): init gathered global options: vers=3
Apr 10 15:50:25 pi11.intranet.net automount[1477]: lookup_read_map: lookup(hosts): read hosts map
Apr 10 15:50:25 pi11.intranet.net automount[1477]: lookup_read_map: lookup(hosts): map not browsable, update existing host entries only
Apr 10 15:50:25 pi11.intranet.net audit[1477]: AVC avc:  denied  { dac_override } for  pid=1477 comm="automount" capability=1  scontext=system_u:system_r:automount_t:s0 tcontext=system_u:system_r:automount_t:s0 tclass=capa>
Apr 10 15:50:25 pi11.intranet.net automount[1477]: do_mount_autofs_indirect: failed to create autofs directory /net
Apr 10 15:50:25 pi11.intranet.net automount[1477]: handle_mounts: mount of /net failed!
Apr 10 15:50:25 pi11.intranet.net automount[1477]: master_do_mount: failed to startup mount
Apr 10 15:50:25 pi11.intranet.net systemd[1]: Started Automounts filesystems on demand.

 
2/ mkdir /net ; ls -l /net
total 0
drwxr-xr-x.  2 root root   6 Mar  5 23:17 .
dr-xr-xr-x. 19 root root 247 Mar  5 23:17 ..

journalctl gives :
Apr 10 15:53:16 pi11.intranet.net systemd[1]: Starting Automounts filesystems on demand...
Apr 10 15:53:16 pi11.intranet.net automount[1559]: Starting automounter version 5.1.4-16.fc28, master map auto.master
Apr 10 15:53:16 pi11.intranet.net automount[1559]: using kernel protocol version 5.02
Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_master: reading master sss auto.master
Apr 10 15:53:16 pi11.intranet.net automount[1559]: do_init: parse(sun): init gathered global options: vers=3
Apr 10 15:53:16 pi11.intranet.net automount[1559]: setautomntent: lookup(sss): setautomntent: No such file or directory
Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_master: auto.master not found, replacing '.' with '_'
Apr 10 15:53:16 pi11.intranet.net automount[1559]: do_init: parse(sun): init gathered global options: vers=3
Apr 10 15:53:16 pi11.intranet.net automount[1559]: setautomntent: lookup(sss): setautomntent: No such file or directory
Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_master: no map - continuing to next source
Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_master: reading master files auto.master
Apr 10 15:53:16 pi11.intranet.net automount[1559]: do_init: parse(sun): init gathered global options: vers=3
Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_read_master: lookup(file): read entry /misc
Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_read_master: lookup(file): read entry /net
Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_read_master: lookup(file): read entry +dir:/etc/auto.master.d
Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_master: reading master dir /etc/auto.master.d
Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_read_master: lookup(dir): scandir: /etc/auto.master.d
Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_read_master: lookup(file): read entry +auto.master
Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_master: reading master sss auto.master
Apr 10 15:53:16 pi11.intranet.net automount[1559]: do_init: parse(sun): init gathered global options: vers=3
Apr 10 15:53:16 pi11.intranet.net automount[1559]: setautomntent: lookup(sss): setautomntent: No such file or directory
Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_master: no map - continuing to next source
Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_master: reading master files auto.master
Apr 10 15:53:16 pi11.intranet.net automount[1559]: do_init: parse(sun): init gathered global options: vers=3
Apr 10 15:53:16 pi11.intranet.net automount[1559]: master_do_mount: mounting /misc
Apr 10 15:53:16 pi11.intranet.net automount[1559]: automount_path_to_fifo: fifo name /run/autofs.fifo-misc
Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_map: reading map file /etc/auto.misc
Apr 10 15:53:16 pi11.intranet.net automount[1559]: do_init: parse(sun): init gathered global options: vers=3
Apr 10 15:53:16 pi11.intranet.net automount[1559]: mounted indirect on /misc with timeout 300, freq 75 seconds
Apr 10 15:53:16 pi11.intranet.net automount[1559]: st_ready: st_ready(): state = 0 path /misc
Apr 10 15:53:16 pi11.intranet.net automount[1559]: master_do_mount: mounting /net
Apr 10 15:53:16 pi11.intranet.net automount[1559]: automount_path_to_fifo: fifo name /run/autofs.fifo-net
Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_map: reading map hosts (null)
Apr 10 15:53:16 pi11.intranet.net automount[1559]: do_init: parse(sun): init gathered global options: vers=3
Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_read_map: lookup(hosts): read hosts map
Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_read_map: lookup(hosts): map not browsable, update existing host entries only
Apr 10 15:53:16 pi11.intranet.net automount[1559]: mounted indirect on /net with timeout 300, freq 75 seconds
Apr 10 15:53:16 pi11.intranet.net automount[1559]: st_ready: st_ready(): state = 0 path /net
Apr 10 15:53:16 pi11.intranet.net systemd[1]: Started Automounts filesystems on demand.
Apr 10 15:53:16 pi11.intranet.net audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=autofs comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? termina>
Comment 6 Ian Kent 2018-04-10 23:45:55 UTC 
(In reply to RENARD from comment #5)
> (In reply to Ian Kent from comment #4)
> > (In reply to Ian Kent from comment #3)
> > > (In reply to Ian Kent from comment #2)
> > > > 
> > > > Also post a listing of /net itself and its contents.
> > > 
> > > I should have said a long listing, ie. "ls -l" of each of these.
> > 
> > Come to think of it there's more we need to check.
> > 
> > If the /net directory already existed autofs won't remove it and
> > re-create it.
> > 
> > I'm wondering if /net has been previously created with permissions
> > that cause the more strict selinux policy to reject the mount point
> > directory create and it hasn't been re-created by automount since.
> > 
> > So can you stop autofs, ensure there is no mount on /net at all.
> > Manually umount them if necessary, then do an "ls -l" to check
> > the permissions.
> > 
> > After this, and assuming there is nothing mounted on /net and
> > that it does exist, do an "rm -rf /net" and start autofs again.
> 

snip ...

> 
>  
> 2/ mkdir /net ; ls -l /net
> total 0
> drwxr-xr-x.  2 root root   6 Mar  5 23:17 .
> dr-xr-xr-x. 19 root root 247 Mar  5 23:17 ..

Maybe you misunderstood.

My whole point of doing this was to check if /net already existed
with incorrect permissions which we can't do now.

If /net doesn't exist it will be created with mode of 755 with
the current revision of autofs, the question I was trying to
answer was whether it existed from an older revision of autofs
that used permissions which now cause selinux problems.

> 
> journalctl gives :
> Apr 10 15:53:16 pi11.intranet.net systemd[1]: Starting Automounts
> filesystems on demand...
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: Starting automounter
> version 5.1.4-16.fc28, master map auto.master
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: using kernel protocol
> version 5.02
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_master:
> reading master sss auto.master
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: do_init: parse(sun): init
> gathered global options: vers=3
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: setautomntent:
> lookup(sss): setautomntent: No such file or directory
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_master:
> auto.master not found, replacing '.' with '_'
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: do_init: parse(sun): init
> gathered global options: vers=3
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: setautomntent:
> lookup(sss): setautomntent: No such file or directory
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_master:
> no map - continuing to next source
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_master:
> reading master files auto.master
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: do_init: parse(sun): init
> gathered global options: vers=3
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_read_master:
> lookup(file): read entry /misc
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_read_master:
> lookup(file): read entry /net
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_read_master:
> lookup(file): read entry +dir:/etc/auto.master.d
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_master:
> reading master dir /etc/auto.master.d
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_read_master:
> lookup(dir): scandir: /etc/auto.master.d
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_read_master:
> lookup(file): read entry +auto.master
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_master:
> reading master sss auto.master
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: do_init: parse(sun): init
> gathered global options: vers=3
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: setautomntent:
> lookup(sss): setautomntent: No such file or directory
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_master:
> no map - continuing to next source
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_master:
> reading master files auto.master
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: do_init: parse(sun): init
> gathered global options: vers=3
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: master_do_mount: mounting
> /misc
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: automount_path_to_fifo:
> fifo name /run/autofs.fifo-misc
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_map:
> reading map file /etc/auto.misc
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: do_init: parse(sun): init
> gathered global options: vers=3
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: mounted indirect on /misc
> with timeout 300, freq 75 seconds
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: st_ready: st_ready():
> state = 0 path /misc
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: master_do_mount: mounting
> /net
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: automount_path_to_fifo:
> fifo name /run/autofs.fifo-net
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_nss_read_map:
> reading map hosts (null)
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: do_init: parse(sun): init
> gathered global options: vers=3
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_read_map:
> lookup(hosts): read hosts map
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: lookup_read_map:
> lookup(hosts): map not browsable, update existing host entries only
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: mounted indirect on /net
> with timeout 300, freq 75 seconds
> Apr 10 15:53:16 pi11.intranet.net automount[1559]: st_ready: st_ready():
> state = 0 path /net
> Apr 10 15:53:16 pi11.intranet.net systemd[1]: Started Automounts filesystems
> on demand.
> Apr 10 15:53:16 pi11.intranet.net audit[1]: SERVICE_START pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> msg='unit=autofs comm="systemd" exe="/usr/lib/systemd/systemd" hostname=?
> addr=? termina>

Nevertheless this looks like it now functions ....

So, if you now rmdir /net and start autofs does it work?

The problem I have seen is that selinux will prevent the creation
of directories in the root directory and throw the dac override
error. I already know that pre-creating the mount point directory
works around that problem.

But a previous reporter said autofs was working after I made the
directory permission changes so I wasn't sure about the top level
mount point directory creation problem.

Requiring people pre-create the top level directory of mount point
directories isn't acceptable and if selinux isn't changed there's
nothing I can do about it myself.

Given that after pointing this out I was ignored and now seeing
this I guess it ins't likely to change or perhaps, like me, they
thought the permission change fixed the problem.

Ian
Comment 7 Pierre-Francois RENARD 2018-04-11 21:59:51 UTC 
Ian,

sorry if I was not clear.

1/ if /net does not exist, autofs will not create it if selinux is in "enforcing" mode ( it is working when in "permissive" mode)

here are logs if /net does not exist:
Apr 11 23:21:26 pi11.intranet.net systemd[1]: Starting Automounts filesystems on demand...
Apr 11 23:21:26 pi11.intranet.net automount[1724]: Starting automounter version 5.1.4-16.fc28, master map auto.master
Apr 11 23:21:26 pi11.intranet.net automount[1724]: using kernel protocol version 5.02
Apr 11 23:21:26 pi11.intranet.net automount[1724]: lookup_nss_read_master: reading master sss auto.master
Apr 11 23:21:26 pi11.intranet.net automount[1724]: do_init: parse(sun): init gathered global options: vers=3
Apr 11 23:21:26 pi11.intranet.net automount[1724]: setautomntent: lookup(sss): setautomntent: No such file or directory
Apr 11 23:21:26 pi11.intranet.net automount[1724]: lookup_nss_read_master: auto.master not found, replacing '.' with '_'
Apr 11 23:21:26 pi11.intranet.net automount[1724]: do_init: parse(sun): init gathered global options: vers=3
Apr 11 23:21:26 pi11.intranet.net automount[1724]: setautomntent: lookup(sss): setautomntent: No such file or directory
Apr 11 23:21:26 pi11.intranet.net automount[1724]: lookup_nss_read_master: no map - continuing to next source
Apr 11 23:21:26 pi11.intranet.net automount[1724]: lookup_nss_read_master: reading master files auto.master
Apr 11 23:21:26 pi11.intranet.net automount[1724]: do_init: parse(sun): init gathered global options: vers=3
Apr 11 23:21:27 pi11.intranet.net automount[1724]: lookup_read_master: lookup(file): read entry /misc
Apr 11 23:21:27 pi11.intranet.net automount[1724]: lookup_read_master: lookup(file): read entry /net
Apr 11 23:21:27 pi11.intranet.net automount[1724]: lookup_read_master: lookup(file): read entry +dir:/etc/auto.master.d
Apr 11 23:21:27 pi11.intranet.net automount[1724]: lookup_nss_read_master: reading master dir /etc/auto.master.d
Apr 11 23:21:27 pi11.intranet.net automount[1724]: lookup_read_master: lookup(dir): scandir: /etc/auto.master.d
Apr 11 23:21:27 pi11.intranet.net automount[1724]: lookup_read_master: lookup(file): read entry +auto.master
Apr 11 23:21:27 pi11.intranet.net automount[1724]: lookup_nss_read_master: reading master sss auto.master
Apr 11 23:21:27 pi11.intranet.net automount[1724]: do_init: parse(sun): init gathered global options: vers=3
Apr 11 23:21:27 pi11.intranet.net automount[1724]: setautomntent: lookup(sss): setautomntent: No such file or directory
Apr 11 23:21:27 pi11.intranet.net automount[1724]: lookup_nss_read_master: no map - continuing to next source
Apr 11 23:21:27 pi11.intranet.net automount[1724]: lookup_nss_read_master: reading master files auto.master
Apr 11 23:21:27 pi11.intranet.net automount[1724]: do_init: parse(sun): init gathered global options: vers=3
Apr 11 23:21:27 pi11.intranet.net automount[1724]: master_do_mount: mounting /misc
Apr 11 23:21:27 pi11.intranet.net automount[1724]: automount_path_to_fifo: fifo name /run/autofs.fifo-misc
Apr 11 23:21:27 pi11.intranet.net automount[1724]: lookup_nss_read_map: reading map file /etc/auto.misc
Apr 11 23:21:27 pi11.intranet.net automount[1724]: do_init: parse(sun): init gathered global options: vers=3
Apr 11 23:21:27 pi11.intranet.net automount[1724]: mounted indirect on /misc with timeout 300, freq 75 seconds
Apr 11 23:21:27 pi11.intranet.net automount[1724]: st_ready: st_ready(): state = 0 path /misc
Apr 11 23:21:27 pi11.intranet.net automount[1724]: master_do_mount: mounting /net
Apr 11 23:21:27 pi11.intranet.net automount[1724]: automount_path_to_fifo: fifo name /run/autofs.fifo-net
Apr 11 23:21:27 pi11.intranet.net automount[1724]: lookup_nss_read_map: reading map hosts (null)
Apr 11 23:21:27 pi11.intranet.net automount[1724]: do_init: parse(sun): init gathered global options: vers=3
Apr 11 23:21:27 pi11.intranet.net automount[1724]: lookup_read_map: lookup(hosts): read hosts map
Apr 11 23:21:27 pi11.intranet.net automount[1724]: lookup_read_map: lookup(hosts): map not browsable, update existing host entries only
Apr 11 23:21:27 pi11.intranet.net automount[1724]: do_mount_autofs_indirect: failed to create autofs directory /net
Apr 11 23:21:27 pi11.intranet.net automount[1724]: handle_mounts: mount of /net failed!
Apr 11 23:21:27 pi11.intranet.net automount[1724]: master_do_mount: failed to startup mount
Apr 11 23:21:27 pi11.intranet.net audit[1724]: AVC avc:  denied  { dac_override } for  pid=1724 comm="automount" capability=1  scontext=system_u:system_r:automount_t:s0 tcontext=system_u:system_r:automount_t:s0 tclass=capability permissive=0
Apr 11 23:21:27 pi11.intranet.net systemd[1]: Started Automounts filesystems on demand.
Apr 11 23:21:27 pi11.intranet.net audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=autofs comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

here are logs if /net exists
Apr 11 23:27:48 pi11.intranet.net systemd[1]: Starting Automounts filesystems on demand...
Apr 11 23:27:48 pi11.intranet.net automount[1883]: Starting automounter version 5.1.4-16.fc28, master map auto.master
Apr 11 23:27:48 pi11.intranet.net automount[1883]: using kernel protocol version 5.02
Apr 11 23:27:48 pi11.intranet.net automount[1883]: lookup_nss_read_master: reading master sss auto.master
Apr 11 23:27:48 pi11.intranet.net automount[1883]: do_init: parse(sun): init gathered global options: vers=3
Apr 11 23:27:48 pi11.intranet.net automount[1883]: setautomntent: lookup(sss): setautomntent: No such file or directory
Apr 11 23:27:48 pi11.intranet.net automount[1883]: lookup_nss_read_master: auto.master not found, replacing '.' with '_'
Apr 11 23:27:48 pi11.intranet.net automount[1883]: do_init: parse(sun): init gathered global options: vers=3
Apr 11 23:27:48 pi11.intranet.net automount[1883]: setautomntent: lookup(sss): setautomntent: No such file or directory
Apr 11 23:27:48 pi11.intranet.net automount[1883]: lookup_nss_read_master: no map - continuing to next source
Apr 11 23:27:48 pi11.intranet.net automount[1883]: lookup_nss_read_master: reading master files auto.master
Apr 11 23:27:48 pi11.intranet.net automount[1883]: do_init: parse(sun): init gathered global options: vers=3
Apr 11 23:27:48 pi11.intranet.net automount[1883]: lookup_read_master: lookup(file): read entry /misc
Apr 11 23:27:48 pi11.intranet.net automount[1883]: lookup_read_master: lookup(file): read entry /net
Apr 11 23:27:48 pi11.intranet.net automount[1883]: lookup_read_master: lookup(file): read entry +dir:/etc/auto.master.d
Apr 11 23:27:48 pi11.intranet.net automount[1883]: lookup_nss_read_master: reading master dir /etc/auto.master.d
Apr 11 23:27:48 pi11.intranet.net automount[1883]: lookup_read_master: lookup(dir): scandir: /etc/auto.master.d
Apr 11 23:27:48 pi11.intranet.net automount[1883]: lookup_read_master: lookup(file): read entry +auto.master
Apr 11 23:27:48 pi11.intranet.net automount[1883]: lookup_nss_read_master: reading master sss auto.master
Apr 11 23:27:48 pi11.intranet.net automount[1883]: do_init: parse(sun): init gathered global options: vers=3
Apr 11 23:27:48 pi11.intranet.net automount[1883]: setautomntent: lookup(sss): setautomntent: No such file or directory
Apr 11 23:27:48 pi11.intranet.net automount[1883]: lookup_nss_read_master: no map - continuing to next source
Apr 11 23:27:48 pi11.intranet.net automount[1883]: lookup_nss_read_master: reading master files auto.master
Apr 11 23:27:48 pi11.intranet.net automount[1883]: do_init: parse(sun): init gathered global options: vers=3
Apr 11 23:27:48 pi11.intranet.net automount[1883]: master_do_mount: mounting /misc
Apr 11 23:27:48 pi11.intranet.net automount[1883]: automount_path_to_fifo: fifo name /run/autofs.fifo-misc
Apr 11 23:27:48 pi11.intranet.net automount[1883]: lookup_nss_read_map: reading map file /etc/auto.misc
Apr 11 23:27:48 pi11.intranet.net automount[1883]: do_init: parse(sun): init gathered global options: vers=3
Apr 11 23:27:48 pi11.intranet.net automount[1883]: mounted indirect on /misc with timeout 300, freq 75 seconds
Apr 11 23:27:48 pi11.intranet.net automount[1883]: st_ready: st_ready(): state = 0 path /misc
Apr 11 23:27:48 pi11.intranet.net automount[1883]: master_do_mount: mounting /net
Apr 11 23:27:48 pi11.intranet.net automount[1883]: automount_path_to_fifo: fifo name /run/autofs.fifo-net
Apr 11 23:27:48 pi11.intranet.net automount[1883]: lookup_nss_read_map: reading map hosts (null)
Apr 11 23:27:48 pi11.intranet.net automount[1883]: do_init: parse(sun): init gathered global options: vers=3
Apr 11 23:27:48 pi11.intranet.net automount[1883]: lookup_read_map: lookup(hosts): read hosts map
Apr 11 23:27:48 pi11.intranet.net automount[1883]: lookup_read_map: lookup(hosts): map not browsable, update existing host entries only
Apr 11 23:27:48 pi11.intranet.net automount[1883]: mounted indirect on /net with timeout 300, freq 75 seconds
Apr 11 23:27:48 pi11.intranet.net automount[1883]: st_ready: st_ready(): state = 0 path /net
Apr 11 23:27:48 pi11.intranet.net systemd[1]: Started Automounts filesystems on demand.
Apr 11 23:27:48 pi11.intranet.net audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=autofs comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

then trying to jump into /net/syno01 gives
-bash: cd: syno01: Too many levels of symbolic links

anc here are logs :
Apr 11 23:29:13 pi11.intranet.net automount[1883]: handle_packet: type = 3
Apr 11 23:29:13 pi11.intranet.net automount[1883]: handle_packet_missing_indirect: token 80, name syno01, request pid 1300
Apr 11 23:29:13 pi11.intranet.net automount[1883]: attempting to mount entry /net/syno01
Apr 11 23:29:13 pi11.intranet.net automount[1883]: lookup_mount: lookup(hosts): syno01 -> (null)
Apr 11 23:29:13 pi11.intranet.net automount[1883]: get_exports: lookup(hosts): fetchng export list for syno01
Apr 11 23:29:13 pi11.intranet.net systemd[1]: Starting Cleanup of Temporary Directories...
Apr 11 23:29:13 pi11.intranet.net automount[1883]: parse_mount: parse(sun): expanded entry: "/volume1/data" "syno01:/volume1/data"
Apr 11 23:29:13 pi11.intranet.net automount[1883]: parse_mount: parse(sun): gathered options: vers=3
Apr 11 23:29:13 pi11.intranet.net automount[1883]: parse_mount: parse(sun): dequote(""/volume1/data"") -> /volume1/data
Apr 11 23:29:13 pi11.intranet.net automount[1883]: parse_mapent: parse(sun): gathered options: vers=3
Apr 11 23:29:13 pi11.intranet.net automount[1883]: parse_mapent: parse(sun): dequote(""syno01:/volume1/data"") -> syno01:/volume1/data
Apr 11 23:29:13 pi11.intranet.net automount[1883]: update_offset_entry: parse(sun): updated multi-mount offset /volume1/data -> -vers=3 syno01:/volume1/data
Apr 11 23:29:13 pi11.intranet.net automount[1883]: do_mount_autofs_offset: mount offset /net/syno01/volume1/data at /net/syno01
Apr 11 23:29:13 pi11.intranet.net audit[1883]: AVC avc:  denied  { dac_override } for  pid=1883 comm="automount" capability=1  scontext=system_u:system_r:automount_t:s0 tcontext=system_u:system_r:automount_t:s0 tclass=capability permissive=0
Apr 11 23:29:13 pi11.intranet.net automount[1883]: mount_autofs_offset: can't create mount directory: /net/syno01/volume1/data, Permission denied
Apr 11 23:29:13 pi11.intranet.net automount[1883]: failed to mount offset
Apr 11 23:29:13 pi11.intranet.net automount[1883]: dev_ioctl_send_ready: token = 80
Apr 11 23:29:13 pi11.intranet.net automount[1883]: mounted /net/syno01

finally here are rights for /net
ls -al /net
total 0
drwxr-xr-x.  3 root root   0 Apr 11 23:29 .
dr-xr-xr-x. 19 root root 247 Apr 11 23:26 ..
dr-xr-xr-x.  2 root root   0 Apr 11 23:29 syno01


I also tried to check selinux capabilities
ls -alZ /net
total 0
drwxr-xr-x.  3 root root system_u:object_r:autofs_t:s0   0 Apr 11 23:51 .
dr-xr-xr-x. 19 root root system_u:object_r:root_t:s0   247 Apr 11 23:26 ..
dr-xr-xr-x.  2 root root system_u:object_r:autofs_t:s0   0 Apr 11 23:51 syno01

ps axZ | grep auto
system_u:system_r:automount_t:s0 2294 ?        Ssl    0:02 /usr/sbin/automount -O vers=3 --foreground --dont-check-daemon

do you think that is normal to have autofs_t on /net and automount_t for process automount ?
Comment 8 Ian Kent 2018-04-11 23:47:37 UTC 
(In reply to RENARD from comment #7)
> Ian,
> 
> sorry if I was not clear.

Ha, and it's still not quite clear.

> 
> 1/ if /net does not exist, autofs will not create it if selinux is in
> "enforcing" mode ( it is working when in "permissive" mode)

And I believe that's because / has mode 0555 which results in
the selinux denial which prevents automount from creating the
top level directory if it doesn't already exist. I can't do
anything about that one but ....

> 
> finally here are rights for /net
> ls -al /net
> total 0
> drwxr-xr-x.  3 root root   0 Apr 11 23:29 .
> dr-xr-xr-x. 19 root root 247 Apr 11 23:26 ..
> dr-xr-xr-x.  2 root root   0 Apr 11 23:29 syno01

This is not right.

The change that I did because of this problem was to make
automount use 755 for "every" directory create. I don't
know why this directory doesn't have mode 755, perhaps
there's a umask in effect causing it.

I'll try and duplicate this and see if I can work out
what's going on.

> 
> 
> I also tried to check selinux capabilities
> ls -alZ /net
> total 0
> drwxr-xr-x.  3 root root system_u:object_r:autofs_t:s0   0 Apr 11 23:51 .
> dr-xr-xr-x. 19 root root system_u:object_r:root_t:s0   247 Apr 11 23:26 ..
> dr-xr-xr-x.  2 root root system_u:object_r:autofs_t:s0   0 Apr 11 23:51
> syno01
> 
> ps axZ | grep auto
> system_u:system_r:automount_t:s0 2294 ?        Ssl    0:02
> /usr/sbin/automount -O vers=3 --foreground --dont-check-daemon
> 
> do you think that is normal to have autofs_t on /net and automount_t for
> process automount ?

I don't know, the selinux policy design is a mystery to me.
Comment 9 Ian Kent 2018-04-12 01:54:47 UTC 
(In reply to Ian Kent from comment #8)
> (In reply to RENARD from comment #7)
> > 
> > finally here are rights for /net
> > ls -al /net
> > total 0
> > drwxr-xr-x.  3 root root   0 Apr 11 23:29 .
> > dr-xr-xr-x. 19 root root 247 Apr 11 23:26 ..
> > dr-xr-xr-x.  2 root root   0 Apr 11 23:29 syno01
> 
> This is not right.
> 
> The change that I did because of this problem was to make
> automount use 755 for "every" directory create. I don't
> know why this directory doesn't have mode 755, perhaps
> there's a umask in effect causing it.
> 
> I'll try and duplicate this and see if I can work out
> what's going on.

*Sigh*, I see now this is me, the kernel autofs file system
mkdir function ignores the mode parameter and forces mode
0555.

I never paid much attention to that as no-one except the
daemon should be able to create or remove mount point
directories and the daemon runs as root.

I'll build a patched kernel and see if that helps.

If it does, I'll need to post a patch for this and request
back port to stable kernels as well.

Still, I don't think that will help with not being able to
create the top level directory within the root directory
(as it's mode 555 and so requires dac_override, I believe).

Ian
Comment 10 Ian Kent 2018-04-12 09:16:29 UTC 
Created attachment 1420761 [details]
Patch - autofs - mount point create should honour passed in mode

This kernel patch resolves the problem of automount getting
dac_override denials when creating mount point directories
within the autofs top level mount.

The top level directory of master map entries resides within
a different file system. If the permissions don't include
write access selinux will still issue a dac_override.

A workaround for this is to create the top level mount
point directory before starting autofs.

This is not acceptable for autofs operation and needs to
be changed in the selinux policy.

In the meantime I will forward this patch upstream.
Comment 11 Justin M. Forbes 2018-07-23 14:57:54 UTC 
*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There are a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 28 kernel bugs.

Fedora 28 has now been rebased to 4.17.7-200.fc28.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you experience different issues, please open a new bug report for those.
Comment 12 Justin M. Forbes 2018-08-29 15:06:18 UTC 
*********** MASS BUG UPDATE **************
This bug is being closed with INSUFFICIENT_DATA as there has not been a response in 5 weeks. If you are still experiencing this issue, please reopen and attach the relevant data from the latest kernel you are running and any data that might have been requested previously.