Bug 185083 - 'mount' command requires selinux rules to mount an iso
'mount' command requires selinux rules to mount an iso
Status: CLOSED DUPLICATE of bug 184067
Product: Fedora
Classification: Fedora
Component: util-linux (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karel Zak
Ben Levenson
:
Depends On:
Blocks: fedora-ia64
  Show dependency treegraph
 
Reported: 2006-03-10 09:18 EST by Prarit Bhargava
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-12 11:43:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/var/log/messages audit denieds for iso and disk mounts (49.50 KB, text/plain)
2006-03-10 23:21 EST, David Timms
no flags Details
/etc/fstab for attempted boot mounts (1.44 KB, text/plain)
2006-03-10 23:23 EST, David Timms
no flags Details
# mount result (575 bytes, text/plain)
2006-03-10 23:29 EST, David Timms
no flags Details

  None (edit)
Description Prarit Bhargava 2006-03-10 09:18:58 EST
Description of problem: 
 
'mount' command requires selinux rules to mount an iso.  I'm surprised that 
such a normal command would require me to set up a rule... 
 
Version-Release number of selected component (if applicable): 
util-linux-2.13-0.16 
 
How reproducible: 100% 
 
 
Steps to Reproduce: 
1. mount -oloop boot.iso mntdir 
 
   
Actual results: 
 
The following is displayed on the screen. 
 
audit(1141818037.016:6): avc:  denied  { read write } for  pid=14280 
comm="mount" name="boot.img" dev=dm-0 ino=2719747 
scontext=root:system_r:mount_t:s0-s0:c0.c255 
tcontext=root:object_r:home_root_t:s0 tclass=file 
boot.img: Permission denied 
 
Expected results: 
 
The command should succeed. 
 
Additional info: I'm not sure if this is an selinux issue or a utils-linux 
issue.
Comment 1 David Timms 2006-03-10 23:21:49 EST
Created attachment 125980 [details]
/var/log/messages audit denieds for iso and disk mounts

Repeatable on my machine-except that the mount works and is accessible if done
manually after boot, but not when in /etc/fstab

-just realized these first parts are with se=permissive
======= se=permissive
# rpm -qa|grep -E 'kernel|util-linux|mount'|sort
gnome-mount-0.4-5
kernel-2.6.15-1.2032_FC5
kernel-2.6.15-1.2039_FC5
util-linux-2.13-0.17
xorg-x11-drv-penmount-1.0.0.5-1.2

# ls -l /home/install/software/linux/fedora/core/5
total 3220748
drwxr-xr-x 2 davidt davidt	 4096 Feb 11 22:32 disc
-rw-r--r-- 1 davidt davidt 3215806464 Feb 22 21:57 FC-5-Test3-i386-DVD.iso
-rw-r--r-- 1 davidt davidt   78987264 Feb 22 21:57 FC-5-Test3-i386-rescuecd.iso


# mount -o loop
/home/install/software/linux/fedora/core/5/FC-5-Test3-i386-DVD.iso
/home/install/software/linux/fedora/core/5/disc
/\ succeeds, and the iso is mounted and accessible through nautilus, but

# tail -f /var/log/messages
...
Mar 11 13:53:13 davidtdesktop kernel: audit(1142045593.122:35): avc:  denied  {
read write } for  pid=3158 comm="mount" name="FC-5-Test3-i386-DVD.iso" dev=dm-1
ino=12615715 scontext=user_u:system_r:mount_t:s0-s0:c0.c255
tcontext=system_u:object_r:user_home_t:s0 tclass=file
Mar 11 13:53:13 davidtdesktop kernel: audit(1142045593.126:36): avc:  denied  {
mounton } for  pid=3158 comm="mount" name="disc" dev=dm-1 ino=12615685
scontext=user_u:system_r:mount_t:s0-s0:c0.c255
tcontext=user_u:object_r:user_home_t:s0 tclass=dir
Mar 11 13:53:13 davidtdesktop kernel: SELinux: initialized (dev loop0, type
iso9660), uses genfs_contexts
Mar 11 13:53:13 davidtdesktop kernel: audit(1142045593.126:37): avc:  denied  {
search } for  pid=2025 comm="hald" name="software" dev=dm-1 ino=8716410
scontext=system_u:system_r:hald_t:s0 tcontext=user_u:object_r:user_home_t:s0
tclass=dir
...
Mar 11 14:03:25 davidtdesktop kernel: audit(1142046205.207:39): avc:  denied  {
getattr } for  pid=3368 comm="mount" name="FC-5-Test3-i386-DVD.iso" dev=dm-1
ino=12615715 scontext=user_u:system_r:mount_t:s0-s0:c0.c255
tcontext=system_u:object_r:user_home_t:s0 tclass=file
Mar 11 14:03:25 davidtdesktop kernel: SELinux: initialized (dev loop0, type
iso9660), uses genfs_contexts

======= se=enforcing
I notice a lot of boot denied messages as my 8 drives on another disk are not
mounted. I don't know now when I last had selinux enforcing ;~)

# mount /home/install/software/linux/fedora/core/5/FC-5-Test3-i386-DVD.iso
/home/install/software/linux/fedora/core/5/FC-5-Test3-i386-DVD.iso: Permission
denied

# mount /dev/hdd8 8
mount: block device /dev/hdd8 is write-protected, mounting read-only
mount: cannot mount block device /dev/hdd8 read-only
[root@davidthome old]# mount /dev/hdd5 5
mount: block device /dev/hdd5 is write-protected, mounting read-only
mount: cannot mount block device /dev/hdd5 read-only
Comment 2 David Timms 2006-03-10 23:23:06 EST
Created attachment 125981 [details]
/etc/fstab for attempted boot mounts
Comment 3 David Timms 2006-03-10 23:29:39 EST
Created attachment 125982 [details]
# mount result

Some drives: (perhaps ones that were present during installation - and manually
slected in anaconda / partition selection) still mount OK, but items manually
added to /etc/fstab are no longer being allowed to boot.
Comment 4 David Timms 2006-03-10 23:40:11 EST
 no longer being allowed to boot.
doh! I meant mount.
Comment 5 Karel Zak 2006-03-12 11:43:40 EST

*** This bug has been marked as a duplicate of 184067 ***

Note You need to log in before you can comment on or make changes to this bug.