Bug 468331
Summary: | "service netfs restart" causes errors and denials when "/etc/fstab" has context mounts | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Murray McAllister <mmcallis> | ||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | vdanen | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-10-24 12:42:25 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Fixed in selinux-policy-3.5.13-7.fc10 |
Created attachment 321374 [details] tests and denials Description of problem: The "service netfs restart" command fails if "/etc/fstab" has context mounts. Context mounts specified in "/etc/fstab" fail to mount. Version-Release number of selected component (if applicable): initscripts-8.84-1.i386 rpcbind-0.1.6-2.fc10.i386 nfs-utils-lib-1.1.4-1.fc10.i386 nfs-utils-1.1.4-1.fc10.i386 policycoreutils-2.0.57-4.fc10.i386 libselinux-python-2.0.73-1.fc10.i386 libselinux-2.0.73-1.fc10.i386 libselinux-utils-2.0.73-1.fc10.i386 selinux-policy-targeted-3.5.13-4.fc10.noarch selinux-policy-3.5.13-4.fc10.noarch How reproducible: Always. Steps to Reproduce: 1. See attached. Actual results: # service netfs restart Mounting NFS filesystems: mount.nfs: access denied by server while mounting localhost:/export/web mount.nfs: access denied by server while mounting localhost:/export/database Denials logged to /var/log/messages: setroubleshoot: SELinux is preventing mount.nfs (mount_t) "relabelfrom" httpd_sys_content_t. For complete SELinux messages. run sealert -l 178f3a75-e83c-4ead-b57d-38efe1f49db5 setroubleshoot: SELinux is preventing mount.nfs (mount_t) "relabelfrom" mysqld_db_t. For complete SELinux messages. run sealert -l 667d2aec-83ad-4af5-b858-4d46ecc96e8a Expected results: No errors and file systems mount. Additional info: Works as expected on: Red Hat Enterprise Linux Client release 5.2 (Tikanga) initscripts-8.45.19.1.EL-1 portmap-4.0-65.2.2.1 nfs-utils-lib-1.0.8-7.2.z2 nfs-utils-1.0.9-35z.el5_2 policycoreutils-1.33.12-14.el5 libselinux-devel-1.33.4-5.el5 libselinux-python-1.33.4-5.el5 libselinux-1.33.4-5.el5 selinux-policy-targeted-2.4.6-137.1.el5_2 selinux-policy-2.4.6-137.1.el5_2 audit2allow suggested: module testpolicy 1.0; require { type mysqld_db_t; type httpd_sys_content_t; type mount_t; class filesystem relabelfrom; } #============= mount_t ============== allow mount_t httpd_sys_content_t:filesystem relabelfrom; allow mount_t mysqld_db_t:filesystem relabelfrom;