Bug 465276
Summary: | Some block devices turn out to be read-only leading to read-only filesystems | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | QingLong <qinglong> |
Component: | initscripts | Assignee: | Bill Nottingham <notting> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 9 | CC: | dwalsh, notting, rvokal |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-10-08 21:57:08 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
QingLong
2008-10-02 14:50:16 UTC
Without more information, it's going to be hard to attack this. Do you have error messages that show when they were mounted read-only the first time? It looks like the problem is linked to selinux, there are messages in logs like | | type=1400 audit(1222921980.322:8): avc: denied { mounton } for pid=1887 comm="mount" path="/var/spool" dev=md13 ino=125985 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir | Nevertheless I think it also concerns initscripts as subsequent manual `mount -a' does (re)mount the filesystems correctly. CC'ing policy maintainer. Have you done a full relabel? Yes, I had done full relabel. I've already contacted Fedora selinux mailing list, by now I can conclude: 1. The problem reason is incorrectly labeled mount points, i.e. this is consequence of a bug in Fedora installation scripts. Relabel won't cure it, as by the moment of manually initiated full relabel all filesystems are already mounted, masking underlying mount points. 2. OTOH initscripts should be able to handle such situations similarly to (or within) full relabel perofrmed during startup on demand. 3. Temporary workaround is: setsebool -P allow_mount_anyfile 1 4. The problem is not so straightforward as some incorrectly labeled mount points are silently allowed to be used without even a warning. E.g. I had fixed all mount points labels but /var/lock, on the next boot ALL filesystems have been mounted successfully and no single message has been issued concerning /var/lock label. 5. It looks like this problem concerns restorecond as well. initscripts can't reasonably parse any and all -EPERM on mount to attempt to guess what the label is, and what it should be to allow mount. mount run by a user runs as unconfined, while mount run by initscripts is confined to be able to mount on files/directories defined in policy. You have two choices, you can either execute the boolean listed above or use audit2allow to build custom policy to allow mount to mounton /var/lock # grep mount /var/log/audit/audit.log | audit2allow -M mymount # semodule -i mymount.pp |