Bug 187180

Summary: Init scripts not managing to mount cifs filesystem
Product: [Fedora] Fedora Reporter: Toby Muhlhofer <toby.m>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: dwalsh, icon, ivazqueznet
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Update Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-15 17:41:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Toby Muhlhofer 2006-03-28 23:23:34 UTC
Description of problem:
In my /etc/fstab I have a line for a cifs filesystem which I want mounted at
boot time. I use the -o credentials=<cred-file> option so I can put my username
and password in a safe place.

When trying to mount the filesystem at boot time, I get the following error:

error 13, unable to open <cred-file>.

Same result if I put a line which manually mounts the filesystem into /etc/rc.local.

Changing the read permissions or location for the file has no effect.

If, when the system is up and running, I mount the filesystem by hand (as root),
it works.

This only happened after my upgrade from fc4 to fc5. Worked fine in fc4.

Version-Release number of selected component (if applicable): initscripts-8.31.1-1

How reproducible:
Always.

Steps to Reproduce:
1. Put a line for a cifs into /etc/fstab or a line mounting a cifs by hand into
rc.local, either of which refers to a credentials file.
2. Boot
3.
  
Actual results:
Fails, saying error 13, can't access credentials file.

Expected results:
Mounts the file system.

Additional info:
I'm filing this under initscripts, but this might be an selinux issue: not sure.

Comment 1 Ignacio Vazquez-Abrams 2006-03-28 23:26:36 UTC
Do you see any AVC denials in /var/log/audit/audit.log referring to an
appropriate command (e.g., mount)?

Comment 2 Toby Muhlhofer 2006-03-28 23:32:53 UTC
Something like this?

----------------------
type=SYSCALL msg=audit(1143587525.243:20): arch=40000003 syscall=5 success=no
exit=-13 a0=8ca0017 a1=8000 a2=1b6 a3=8ca0048 items=1 pid=2369 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="mount.cifs"
exe="/sbin/mount.cifs"
type=AVC msg=audit(1143587542.871:23): avc:  denied  { read } for  pid=2376
comm="mount.cifs" name="cred" dev=sda3 ino=1086175
scontext=root:system_r:mount_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1143587542.871:23): arch=40000003 syscall=5 success=no
exit=-13 a0=9d96017 a1=8000 a2=1b6 a3=9d96048 items=1 pid=2376 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="mount.cifs"
exe="/sbin/mount.cifs"
type=AVC msg=audit(1143587610.598:26): avc:  denied  { read } for  pid=2403
comm="mount.cifs" name="cred" dev=sda3 ino=1086175
scontext=root:system_r:mount_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file

--------------------------------

Sorry for being dumb here: never dealt with reading an audit.log

Comment 3 Ignacio Vazquez-Abrams 2006-03-29 00:18:55 UTC
Definitely a SELinux problem; reassigning.

Comment 4 Konstantin Ryabitsev 2006-03-31 19:34:55 UTC
I don't see this problem -- I have the following entries in my /etc/fstab:

//gdb/test13 /mnt/webtest cifs
credentials=/etc/cifs-webtest,uid=icon,gid=icon,rw 0 0
//blues/wcg /mnt/blues cifs credentials=/etc/cifs-blues,uid=icon,gid=icon,rw 0 0

Both partitions get mounted on boot, however unmounting on reboot doesn't work.
Generally, these are the avc errors I'm seeing:

Mar 31 14:12:09 rakta kernel: avc:  denied  { } for  pid=3616 comm=umount
capability=7 scontext=system_u:system_r:mount_t
tcontext=system_u:system_r:mount_t tclass=capability
Mar 31 14:12:09 rakta kernel: avc:  denied  { } for  pid=3616 comm=umount
capability=6 scontext=system_u:system_r:mount_t
tcontext=system_u:system_r:mount_t tclass=capability
Mar 31 14:12:09 rakta kernel: avc:  denied  { } for  pid=3616 comm=umount.cifs
name="/" dev=cifs ino=2 scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:cifs_t tclass=filesystem

Anything I can help troubleshoot? Reboots are a bit of a mess at the moment. :)

Comment 5 Konstantin Ryabitsev 2006-03-31 19:42:55 UTC
Sorry, seaudit seems to have mangled the output a bit. Here are the raw entries
from /var/log/messages:

Mar 31 14:12:09 rakta kernel: audit(1143832329.531:15): avc:  denied  { setuid }
for  pid=3617 comm="umount" capability=7 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=capability
Mar 31 14:12:09 rakta kernel: audit(1143832329.535:16): avc:  denied  { setgid }
for  pid=3617 comm="umount" capability=6 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=capability
Mar 31 14:12:09 rakta kernel: audit(1143832329.535:17): avc:  denied  { getattr
} for  pid=3617 comm="umount.cifs" name="/" dev=cifs ino=2
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:cifs_t:s0
tclass=filesystem

Comment 6 Toby Muhlhofer 2006-03-31 21:10:29 UTC
Konstantin, looks I also have the same problem on shutdown when trying to umount
the cifs system as you do (in addition to the mounting problem). Umounting it as
root before shutting down again resolves this, but again this is not something
that can be done by an init script in any way, as SELinux won't let it.

Comment 7 Mike 2006-04-27 18:09:17 UTC
After today update these messages are gone:

: Mar 31 14:12:09 rakta kernel: audit(1143832329.531:15): avc:  denied  { setuid }
: Mar 31 14:12:09 rakta kernel: audit(1143832329.535:16): avc:  denied  { setgid }

this one left

: Mar 31 14:12:09 rakta kernel: audit(1143832329.535:17): avc:  denied  { getattr }


Comment 8 Daniel Walsh 2006-05-01 20:08:24 UTC
That is strange since that fix is also in the update.  Could you paste in the
exact message you are seeeing?



Comment 9 Mike 2006-05-04 20:05:44 UTC
I'm mountig filesystems from fstab in a home directory.
Ext3, fat32 works fine.

All mountpoints are: $ getfattr -m. -d /home/mike/storage
security.selinux="system_u:object_r:mnt_t:s0\000"

But for cifs i got:

audit(1146773144.833:2): avc:  denied  { getattr } for  pid=1470 comm=
"mount.cifs" name="mike" dev=hda5 ino=893376
scontext=system_u:system_r:mount_t:s0 tcontext=system_
u:object_r:user_home_dir_t:s0 tclass=dir

Yes, I can mount it in /mnt without a warning.
Looks like parent dir must be "mnt_t" for cifs.


Comment 10 Mike 2006-05-06 12:53:12 UTC
: Looks like parent dir must be "mnt_t" for cifs.
This don't help.


Comment 11 Daniel Walsh 2006-05-09 19:31:47 UTC
fixed in selinux-policy-2.2.38-1.FC5.

You need to turn on the boolean

setsebool -P allow_mount_anyfile=1


Comment 12 Mike 2006-05-15 17:02:28 UTC
problem fixed

where can I read more about "allow_mount_anyfile",
google lacks of results


Comment 13 Daniel Walsh 2006-05-15 17:41:21 UTC
No where it was just added.  We are hoping to add more docs on booleans and even
better make the tools smart enough to suggest turning on a boolean to allow a
certain access.