Bug 187180
Summary: | Init scripts not managing to mount cifs filesystem | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Toby Muhlhofer <toby.m> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5 | CC: | dwalsh, icon, ivazqueznet |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Update | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-05-15 17:41:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Toby Muhlhofer
2006-03-28 23:23:34 UTC
Do you see any AVC denials in /var/log/audit/audit.log referring to an appropriate command (e.g., mount)? Something like this? ---------------------- type=SYSCALL msg=audit(1143587525.243:20): arch=40000003 syscall=5 success=no exit=-13 a0=8ca0017 a1=8000 a2=1b6 a3=8ca0048 items=1 pid=2369 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="mount.cifs" exe="/sbin/mount.cifs" type=AVC msg=audit(1143587542.871:23): avc: denied { read } for pid=2376 comm="mount.cifs" name="cred" dev=sda3 ino=1086175 scontext=root:system_r:mount_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1143587542.871:23): arch=40000003 syscall=5 success=no exit=-13 a0=9d96017 a1=8000 a2=1b6 a3=9d96048 items=1 pid=2376 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="mount.cifs" exe="/sbin/mount.cifs" type=AVC msg=audit(1143587610.598:26): avc: denied { read } for pid=2403 comm="mount.cifs" name="cred" dev=sda3 ino=1086175 scontext=root:system_r:mount_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file -------------------------------- Sorry for being dumb here: never dealt with reading an audit.log Definitely a SELinux problem; reassigning. I don't see this problem -- I have the following entries in my /etc/fstab: //gdb/test13 /mnt/webtest cifs credentials=/etc/cifs-webtest,uid=icon,gid=icon,rw 0 0 //blues/wcg /mnt/blues cifs credentials=/etc/cifs-blues,uid=icon,gid=icon,rw 0 0 Both partitions get mounted on boot, however unmounting on reboot doesn't work. Generally, these are the avc errors I'm seeing: Mar 31 14:12:09 rakta kernel: avc: denied { } for pid=3616 comm=umount capability=7 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t tclass=capability Mar 31 14:12:09 rakta kernel: avc: denied { } for pid=3616 comm=umount capability=6 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t tclass=capability Mar 31 14:12:09 rakta kernel: avc: denied { } for pid=3616 comm=umount.cifs name="/" dev=cifs ino=2 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:cifs_t tclass=filesystem Anything I can help troubleshoot? Reboots are a bit of a mess at the moment. :) Sorry, seaudit seems to have mangled the output a bit. Here are the raw entries from /var/log/messages: Mar 31 14:12:09 rakta kernel: audit(1143832329.531:15): avc: denied { setuid } for pid=3617 comm="umount" capability=7 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:mount_t:s0 tclass=capability Mar 31 14:12:09 rakta kernel: audit(1143832329.535:16): avc: denied { setgid } for pid=3617 comm="umount" capability=6 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:mount_t:s0 tclass=capability Mar 31 14:12:09 rakta kernel: audit(1143832329.535:17): avc: denied { getattr } for pid=3617 comm="umount.cifs" name="/" dev=cifs ino=2 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:cifs_t:s0 tclass=filesystem Konstantin, looks I also have the same problem on shutdown when trying to umount the cifs system as you do (in addition to the mounting problem). Umounting it as root before shutting down again resolves this, but again this is not something that can be done by an init script in any way, as SELinux won't let it. After today update these messages are gone: : Mar 31 14:12:09 rakta kernel: audit(1143832329.531:15): avc: denied { setuid } : Mar 31 14:12:09 rakta kernel: audit(1143832329.535:16): avc: denied { setgid } this one left : Mar 31 14:12:09 rakta kernel: audit(1143832329.535:17): avc: denied { getattr } That is strange since that fix is also in the update. Could you paste in the exact message you are seeeing? I'm mountig filesystems from fstab in a home directory. Ext3, fat32 works fine. All mountpoints are: $ getfattr -m. -d /home/mike/storage security.selinux="system_u:object_r:mnt_t:s0\000" But for cifs i got: audit(1146773144.833:2): avc: denied { getattr } for pid=1470 comm= "mount.cifs" name="mike" dev=hda5 ino=893376 scontext=system_u:system_r:mount_t:s0 tcontext=system_ u:object_r:user_home_dir_t:s0 tclass=dir Yes, I can mount it in /mnt without a warning. Looks like parent dir must be "mnt_t" for cifs. : Looks like parent dir must be "mnt_t" for cifs. This don't help. fixed in selinux-policy-2.2.38-1.FC5. You need to turn on the boolean setsebool -P allow_mount_anyfile=1 problem fixed where can I read more about "allow_mount_anyfile", google lacks of results No where it was just added. We are hoping to add more docs on booleans and even better make the tools smart enough to suggest turning on a boolean to allow a certain access. |