1841049 – Systemd mount doesn't create destination directory

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1841049 - Systemd mount doesn't create destination directory

Summary: Systemd mount doesn't create destination directory

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-05-28 08:47 UTC by Maria Alonso
Modified:	2023-12-15 18:01 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-09-01 10:19:10 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Maria Alonso 2020-05-28 08:47:13 UTC

Description of problem:
	Systemd mount doesn't create destination directory, the following error is thrown:

	~~~
	systemd[1]: var-mnt-backup.mount: Failed to check directory /var/mnt/backup: No such file or directory
	~~~


Version-Release number of selected component (if applicable):


How reproducible:

	Always


Steps to Reproduce:
	1. Create the following systemd mount which mounts nfs share

		~~~
		# cat << EOF > /etc/systemd/system/1/var-mnt-backup.mount
		[Unit]
		Before=remote-fs.target
		[Mount]
		What=nfsserver:/opt/nfsshare
		Where=/var/mnt/backup
		Type=nfs
		[Install]
		WantedBy=remote-fs.target
		EOF
		~~~



	2. start and check the status of the unit, the following error is thrown:

		~~~~
		systemd[1]: var-mnt-backup.mount: Failed to check directory /var/mnt/backup: No such file or directory
		~~~~

		# systemctl start var-mnt-backup.mount
		Job for var-mnt-backup.mount failed.
		See "systemctl status var-mnt-backup.mount" and "journalctl -xe" for details.



		# systemctl status var-mnt-backup.mount
		● var-mnt-backup.mount - /var/mnt/backup
		   Loaded: loaded (/etc/systemd/system/var-mnt-backup.mount; disabled; vendor preset: disabled)
		   Active: failed (Result: exit-code) since Thu 2020-05-28 04:29:00 EDT; 10s ago
		    Where: /var/mnt/backup
		     What: ec2-18-130-243-30.eu-west-2.compute.amazonaws.com:/opt/openshift

		May 28 04:29:00 node-0.nfsrhel8.lab.pnq2.cee.redhat.com systemd[1]: var-mnt-backup.mount: Failed to check directory /var/mnt/backup: No such file or directory
		May 28 04:29:00 node-0.nfsrhel8.lab.pnq2.cee.redhat.com systemd[1]: Mounting /var/mnt/backup...
		May 28 04:29:00 node-0.nfsrhel8.lab.pnq2.cee.redhat.com mount[2118]: mount.nfs: mount point /var/mnt/backup does not exist
		May 28 04:29:00 node-0.nfsrhel8.lab.pnq2.cee.redhat.com systemd[1]: var-mnt-backup.mount: Mount process exited, code=exited status=32
		May 28 04:29:00 node-0.nfsrhel8.lab.pnq2.cee.redhat.com systemd[1]: var-mnt-backup.mount: Failed with result 'exit-code'.
		May 28 04:29:00 node-0.nfsrhel8.lab.pnq2.cee.redhat.com systemd[1]: Failed to mount /var/mnt/backup.



Actual results:

	The following error is thrown:
	~~~
	systemd[1]: var-mnt-backup.mount: Failed to check directory /var/mnt/backup: No such file or directory
	~~~


Expected results:
	According systemd.mount doc, destination directory should be created [1]:

	Where=
	Takes an absolute path of a file or directory for the mount point; in particular, the destination cannot be a symbolic link. If the mount point does not exist at the time of mounting, it is created as directory. This string must be reflected in the unit filename. (See above.) This option is mandatory.

	Mount units must be named after the mount point directories they control. Example: the mount point /home/lennart must be configured in a unit file home-lennart.mount.

	https://www.freedesktop.org/software/systemd/man/systemd.mount.html

Additional info:

	This works successfully on RHEL7

Comment 1 Maria Alonso 2020-05-28 08:55:25 UTC

Sorry, there is a mistake on my previous comment on the path of the file created when reproducing this issue:

		~~~
		# cat << EOF > /etc/systemd/system/var-mnt-backup.mount
		[Unit]
		Before=remote-fs.target
		[Mount]
		What=nfsserver:/opt/nfsshare
		Where=/var/mnt/backup
		Type=nfs
		[Install]
		WantedBy=remote-fs.target
		EOF
		~~~

Comment 2 David Tardon 2020-05-28 11:44:25 UTC

Just a hunch: does it work with selinux turned to permissive mode (setenforce 0)?

Comment 3 Karel Zak 2020-06-01 13:31:38 UTC

mount(8) can do it for you but have to use "-o X-mount.mkdir" (it means Options=X-mount.mkdir in the systemd unit file).

Comment 4 Maria Alonso 2020-06-01 14:09:46 UTC

@David, I have just checked and also fails (doesn't create the this) with selinux disabled.

@Karel, it works fine on RHEL8 using 'Options=X-mount.mkdir', but it worked without this option on RHEL7 and according systemd.mount doc, destination directory should be created [1]:


---------------------------------------------------------------
	Where=
	Takes an absolute path of a file or directory for the mount point; in particular, the destination cannot be a symbolic link. If the mount point does not exist at the time of mounting, it is created as directory. This string must be reflected in the unit filename. (See above.) This option is mandatory.

	Mount units must be named after the mount point directories they control. Example: the mount point /home/lennart must be configured in a unit file home-lennart.mount.

	https://www.freedesktop.org/software/systemd/man/systemd.mount.html

---------------------------------------------------------------


Regards

Comment 5 David Tardon 2020-06-01 16:05:09 UTC

Could we get strace of systemd during start of the mount unit? I.e., run

# strace -p 1 -o mount.log -e trace=%file &
# systemctl start var-mnt-backup.mount

and attach mount.log here.

Comment 6 Maria Alonso 2020-06-02 12:37:38 UTC

@David, sorry, disregard my previous comment, I did my test immediately after doing 'setenforce 0' and it didn't work, but today I see it works, so it's a selinux issue.

On the other hand, on RHEL7 selinux is also enabled and it's working there:

I attach audit.log entries:

=======================================================
type=USER_AVC msg=audit(1591100038.941:586): pid=570 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1591100048.560:587): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'UID="root" AUID="unset" SAUID="root"
type=AVC msg=audit(1591100048.577:588): avc:  denied  { create } for  pid=1 comm="systemd" name="mnt" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0
type=SERVICE_START msg=audit(1591100762.118:589): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1591100762.118:590): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
======================================================

Comment 7 David Tardon 2020-06-03 08:02:32 UTC

Yeah, it's selinux. systemd would have to be allowed to create directories all over the filesystem, instead of just a few selected places like /mnt.

Comment 8 Zdenek Pytela 2020-06-08 15:54:04 UTC

Maria,

What is the selinux-policy package version you use? I cannot reproduce it, systemd creates the directory; moreover it seems to be a duplicate of bz#1778126, already resolved for RHEL 8.2.

# rpm -qa "selinux-policy*"
selinux-policy-targeted-3.14.3-44.el8.noarch
selinux-policy-3.14.3-44.el8.noarch

# sesearch -A -s init_t -t var_t -c dir -p create
allow init_t var_t:dir { add_name create getattr ioctl lock open read relabelfrom relabelto remove_name search setattr write };

Comment 9 Maria Alonso 2020-06-11 12:50:48 UTC

Hi Zdenek,

I was checking on RHEL 8.0 with the following 'selinux-policy' packages:

 selinux-policy-3.14.1-61.el8.noarch
 selinux-policy-targeted-3.14.1-61.el8.noarch

After checking this in RHEL 8.2 with: 
 selinux-policy-targeted-3.14.3-41.el8_2.2.noarch
 selinux-policy-3.14.3-41.el8_2.2.noarch

I can see that systemd mounts work fine with selinux in enforced mode.

Any idea if this will be backported?

Comment 10 Zdenek Pytela 2020-06-11 13:23:28 UTC

Maria,

There were no plans for supporting 8.0 z-streams. For more details, refer to:
https://access.redhat.com/support/policy/updates/errata/

For this particular use case, we can provide the following workaround:

  # cat local_init_var_write.cil
(allow init_t var_t (dir (add_name create getattr ioctl lock open read relabelfrom relabelto remove_name search setattr write)))
  # semodule -i local_init_var_write.cil

Comment 11 Zdenek Pytela 2020-09-01 10:19:10 UTC

Closing CURRENTRELEASE as this bug has been fixed.

Note You need to log in before you can comment on or make changes to this bug.