Bug 636683
| Summary: | unable to mount gfs2 filesystems that exist in fstab with selinux on | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Corey Marthaler <cmarthal> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 6.0 | CC: | ccaulfie, cluster-maint, dgeevarg, jha, lhh, mmalik, rpeterso, sbradley, snagar, swhiteho, teigland |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-57.el6 | Doc Type: | Bug Fix |
| Doc Text: |
When SELinux was enabled, users were unable to mount GFS2 file systems listed in /etc/fstab. With this update, SELinux rules have been added to allow the mount process to communicate with gfs_controld, so that such file systems can now be mount as expected.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-19 11:55:18 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 642609, 645519 | ||
Miroslav add optional_policy(` rhcs_stream_connect_gfs_controld(mount_t) ') Fixed in selinux-policy-3.7.19-57.el6.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
When SELinux was enabled, users were unable to mount GFS2 file systems listed in /etc/fstab. With this update, SELinux rules have been added to allow the mount process to communicate with gfs_controld, so that such file systems can now be mount as expected.
[root@dash-02 ~]# grep gfs2 /etc/fstab /dev/dash/dash0 /mnt/dash0 gfs2 defaults 0 0 [root@dash-02 ~]# service gfs2 start Mounting GFS2 filesystem (/mnt/dash0): [ OK ] [root@dash-02 ~]# mount -t gfs2 /dev/mapper/dash-dash0 on /mnt/dash0 type gfs2 (rw,seclabel,relatime,hostdata=jid=0) [root@dash-02 ~]# service gfs2 stop Unmounting GFS2 filesystem (/mnt/dash0): [ OK ] [root@dash-02 ~]# rpm -q selinux-policy selinux-policy-3.7.19-78.el6.noarch An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html |
Description of problem: [root@taft-01 ~]# service gfs2 start Mounting GFS2 filesystem (/mnt/gfsA): gfs_controld join connect error: Permission denied error mounting lockproto lock_dlm [FAILED] Mounting GFS2 filesystem (/mnt/gfsB): gfs_controld join connect error: Permission denied error mounting lockproto lock_dlm [FAILED] type=AVC msg=audit(1285191620.106:26): avc: denied { connectto } for pid=2343 comm="mount.gfs2" path=00676673635F736F636B scontext=unconfined_u:system_r:mount_t:s0 tcontext=unconfined_u:system_r:gfs_controld_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1285191620.106:26): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7fff93d24960 a2=c a3=7fff93d24963 items=0 ppid=2342 pid=2343 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mount.gfs2" exe="/sbin/mount.gfs2" subj=unconfined_u:system_r:mount_t:s0 key=(null) Version-Release number of selected component (if applicable): 2.6.32-71.el6.x86_64 How reproducible: Everytime