Bug 185083

Summary: 'mount' command requires selinux rules to mount an iso
Product: [Fedora] Fedora Reporter: Prarit Bhargava <prarit>
Component: util-linuxAssignee: Karel Zak <kzak>
Status: CLOSED DUPLICATE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dtimms
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-12 16:43:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 163350    
Attachments:
Description Flags
/var/log/messages audit denieds for iso and disk mounts
none
/etc/fstab for attempted boot mounts
none
# mount result none

Description Prarit Bhargava 2006-03-10 14:18:58 UTC 
Description of problem: 
 
'mount' command requires selinux rules to mount an iso.  I'm surprised that 
such a normal command would require me to set up a rule... 
 
Version-Release number of selected component (if applicable): 
util-linux-2.13-0.16 
 
How reproducible: 100% 
 
 
Steps to Reproduce: 
1. mount -oloop boot.iso mntdir 
 
   
Actual results: 
 
The following is displayed on the screen. 
 
audit(1141818037.016:6): avc:  denied  { read write } for  pid=14280 
comm="mount" name="boot.img" dev=dm-0 ino=2719747 
scontext=root:system_r:mount_t:s0-s0:c0.c255 
tcontext=root:object_r:home_root_t:s0 tclass=file 
boot.img: Permission denied 
 
Expected results: 
 
The command should succeed. 
 
Additional info: I'm not sure if this is an selinux issue or a utils-linux 
issue.
Comment 1 David Timms 2006-03-11 04:21:49 UTC 
Created attachment 125980 [details]
/var/log/messages audit denieds for iso and disk mounts

Repeatable on my machine-except that the mount works and is accessible if done
manually after boot, but not when in /etc/fstab

-just realized these first parts are with se=permissive
======= se=permissive
# rpm -qa|grep -E 'kernel|util-linux|mount'|sort
gnome-mount-0.4-5
kernel-2.6.15-1.2032_FC5
kernel-2.6.15-1.2039_FC5
util-linux-2.13-0.17
xorg-x11-drv-penmount-1.0.0.5-1.2

# ls -l /home/install/software/linux/fedora/core/5
total 3220748
drwxr-xr-x 2 davidt davidt	 4096 Feb 11 22:32 disc
-rw-r--r-- 1 davidt davidt 3215806464 Feb 22 21:57 FC-5-Test3-i386-DVD.iso
-rw-r--r-- 1 davidt davidt   78987264 Feb 22 21:57 FC-5-Test3-i386-rescuecd.iso


# mount -o loop
/home/install/software/linux/fedora/core/5/FC-5-Test3-i386-DVD.iso
/home/install/software/linux/fedora/core/5/disc
/\ succeeds, and the iso is mounted and accessible through nautilus, but

# tail -f /var/log/messages
...
Mar 11 13:53:13 davidtdesktop kernel: audit(1142045593.122:35): avc:  denied  {
read write } for  pid=3158 comm="mount" name="FC-5-Test3-i386-DVD.iso" dev=dm-1
ino=12615715 scontext=user_u:system_r:mount_t:s0-s0:c0.c255
tcontext=system_u:object_r:user_home_t:s0 tclass=file
Mar 11 13:53:13 davidtdesktop kernel: audit(1142045593.126:36): avc:  denied  {
mounton } for  pid=3158 comm="mount" name="disc" dev=dm-1 ino=12615685
scontext=user_u:system_r:mount_t:s0-s0:c0.c255
tcontext=user_u:object_r:user_home_t:s0 tclass=dir
Mar 11 13:53:13 davidtdesktop kernel: SELinux: initialized (dev loop0, type
iso9660), uses genfs_contexts
Mar 11 13:53:13 davidtdesktop kernel: audit(1142045593.126:37): avc:  denied  {
search } for  pid=2025 comm="hald" name="software" dev=dm-1 ino=8716410
scontext=system_u:system_r:hald_t:s0 tcontext=user_u:object_r:user_home_t:s0
tclass=dir
...
Mar 11 14:03:25 davidtdesktop kernel: audit(1142046205.207:39): avc:  denied  {
getattr } for  pid=3368 comm="mount" name="FC-5-Test3-i386-DVD.iso" dev=dm-1
ino=12615715 scontext=user_u:system_r:mount_t:s0-s0:c0.c255
tcontext=system_u:object_r:user_home_t:s0 tclass=file
Mar 11 14:03:25 davidtdesktop kernel: SELinux: initialized (dev loop0, type
iso9660), uses genfs_contexts

======= se=enforcing
I notice a lot of boot denied messages as my 8 drives on another disk are not
mounted. I don't know now when I last had selinux enforcing ;~)

# mount /home/install/software/linux/fedora/core/5/FC-5-Test3-i386-DVD.iso
/home/install/software/linux/fedora/core/5/FC-5-Test3-i386-DVD.iso: Permission
denied

# mount /dev/hdd8 8
mount: block device /dev/hdd8 is write-protected, mounting read-only
mount: cannot mount block device /dev/hdd8 read-only
[root@davidthome old]# mount /dev/hdd5 5
mount: block device /dev/hdd5 is write-protected, mounting read-only
mount: cannot mount block device /dev/hdd5 read-only
Comment 2 David Timms 2006-03-11 04:23:06 UTC 
Created attachment 125981 [details]
/etc/fstab for attempted boot mounts
Comment 3 David Timms 2006-03-11 04:29:39 UTC 
Created attachment 125982 [details]
# mount result

Some drives: (perhaps ones that were present during installation - and manually
slected in anaconda / partition selection) still mount OK, but items manually
added to /etc/fstab are no longer being allowed to boot.
Comment 4 David Timms 2006-03-11 04:40:11 UTC 
 no longer being allowed to boot.
doh! I meant mount.
Comment 5 Karel Zak 2006-03-12 16:43:40 UTC 

*** This bug has been marked as a duplicate of 184067 ***