Bug 238871
Summary: | SE-Linux prevents loopback mounting of a jffs2 image in permissive mode | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | John (J5) Palmieri <johnp> |
Component: | kernel | Assignee: | Eric Paris <eparis> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6 | CC: | dwalsh, eparis, jkeck, kmacmill, sdsmall |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | F8 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-11-09 15:49:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
John (J5) Palmieri
2007-05-03 15:49:58 UTC
Any AVC or other selinux messages in /var/log/messages or /var/log/audit/audit.log? From /var/log/messages (audit.log doesn't log anything relevant) May 4 14:25:30 localhost kernel: block2mtd: mtd0: [d: /dev/loop0] erase_size = 128KiB [131072] May 4 14:25:30 localhost kernel: block2mtd: version $Revision: 1.30 $ May 4 14:25:30 localhost kernel: block2mtd: Overrun end of disk in cache readahead May 4 14:25:30 localhost kernel: May 4 14:25:30 localhost kernel: block2mtd: Overrun end of disk in cache readahead May 4 14:25:30 localhost kernel: May 4 14:25:30 localhost kernel: block2mtd: Overrun end of disk in cache readahead May 4 14:25:30 localhost kernel: May 4 14:25:36 localhost kernel: JFFS2 version 2.2. (NAND) (SUMMARY) (C) 2001-2006 Red Hat, Inc. May 4 14:25:51 localhost kernel: SELinux: (dev jffs2, type jffs2) has no xattr support Note the line modprobe blockmtd should read modprobe mtdblock I get an error earlier on RHEL 5 - the command "modprobe block2mtd block2mtd=/dev/loop0,128ki" seems to fail and dmesg shows: block2mtd: error: cannot open device dev/loop0 block2mtd: version $Revision: 1.30 $ I also get the denial: #============= mount_t ============== # src="mount_t" tgt="unlabeled_t" class="filesystem", perms="mount" # comm="mount" exe="" path="" allow mount_t unlabeled_t:filesystem mount; jffs2 now supports xattrs, so the policy is configured to expect them to be enabled. JFFS2_FS_XATTR=y JFFS2_FS_SECURITY=y But shouldn't it just work in Permissive mode? Permissive mode was only intended to address permission denials, not all classes of errors. This is a mismatch between the policy configuration for filesystem labeling behavior for jffs2 and kernel configuration. As a result, we can't even determine a security label for the root inode of the filesystem at mount time. We could leave it unlabeled and allow the mount to proceed, in which case it would show up as unlabeled_t accesses upon subsequent access, but it seems preferable to catch it early. Things like setroubleshoot or audit2allow wouldn't catch or recognize the original issue, as it isn't an avc denial. Ok so this is a bug in the way the kernel is being built? So I am reassigning to kernel and eparis. F7 and F8 have these set. closing as current release. |