Bug 212674

Summary: Fedora is unable to mount /var/log after install
Product: [Fedora] Fedora Reporter: Stephen John Smoogen <smooge>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: notting, rstrode, turchi
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-11-28 20:52:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephen John Smoogen 2006-10-27 22:26:48 UTC 
Description of problem:

During booting of FC6, we create a seperate /var/log/ partition for limits on
audit growth. After rebooting, FC6 complained that it could not mount volgroup03
and tried to mount it read-only. It could not do this either and various other
programs failed to start running (psacct) because their sub-directories were not
available. Was able to get system to boot by turning selinux off. Changed it
temporarily to just complain

Complaints are:

SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts
audit(1161986094.677:3): avc:  denied  { execute } for  pid=1227 comm="bash"
name="bash" dev=dm-0 ino=463972 scontext=system_u:system_r:rhgb_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
NET: Registered protocol family 10
lo: Disabled Privacy Extensions
IPv6 over IPv4 tunneling driver
ACPI: Power Button (FF) [PWRF]
ACPI: Power Button (CM) [VBTN]
md: Autodetecting RAID arrays.
md: autorun ...
md: ... autorun DONE.
device-mapper: multipath: version 1.0.4 loaded
EXT3 FS on dm-0, internal journal
audit(1161986103.613:4): avc:  denied  { mounton } for  pid=1357 comm="mount"
name="log" dev=dm-0 ino=1507330 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=dir

[The first one I don't know where it is yet. THe second is when it trying to
mount other sub-directories.]


Version-Release number of selected component (if applicable):

initscripts-8.45.3-1

How reproducible:

100% [Did 2 installs of FC6]

Steps to Reproduce:
1. Install FC6
2. Create a /var/log partition
3. Watch it fail to mount
Comment 1 Stephen John Smoogen 2006-10-27 22:35:56 UTC 
[root@glasya ~]# audit2allow -d                       
allow mount_t var_log_t:dir mounton;
allow rhgb_t usr_t:file execute;

I forgot to add that.
Comment 2 Bill Nottingham 2006-10-28 03:05:09 UTC 
This looks like it should be allowed by policy - reassigning. 

The rhgb one is odd, though - why is it trying to execute bash?
Comment 3 Ray Strode [halfline] 2006-10-29 06:26:15 UTC 
the rhgb code is some loony thing I came up with and regretted later.

There should be an rhgb in testing soon that will drop that (and fix other issues)