Bug 187180 - Init scripts not managing to mount cifs filesystem
Init scripts not managing to mount cifs filesystem
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-28 18:23 EST by Toby Muhlhofer
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version: Update
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-15 13:41:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Toby Muhlhofer 2006-03-28 18:23:34 EST
Description of problem:
In my /etc/fstab I have a line for a cifs filesystem which I want mounted at
boot time. I use the -o credentials=<cred-file> option so I can put my username
and password in a safe place.

When trying to mount the filesystem at boot time, I get the following error:

error 13, unable to open <cred-file>.

Same result if I put a line which manually mounts the filesystem into /etc/rc.local.

Changing the read permissions or location for the file has no effect.

If, when the system is up and running, I mount the filesystem by hand (as root),
it works.

This only happened after my upgrade from fc4 to fc5. Worked fine in fc4.

Version-Release number of selected component (if applicable): initscripts-8.31.1-1

How reproducible:
Always.

Steps to Reproduce:
1. Put a line for a cifs into /etc/fstab or a line mounting a cifs by hand into
rc.local, either of which refers to a credentials file.
2. Boot
3.
  
Actual results:
Fails, saying error 13, can't access credentials file.

Expected results:
Mounts the file system.

Additional info:
I'm filing this under initscripts, but this might be an selinux issue: not sure.
Comment 1 Ignacio Vazquez-Abrams 2006-03-28 18:26:36 EST
Do you see any AVC denials in /var/log/audit/audit.log referring to an
appropriate command (e.g., mount)?
Comment 2 Toby Muhlhofer 2006-03-28 18:32:53 EST
Something like this?

----------------------
type=SYSCALL msg=audit(1143587525.243:20): arch=40000003 syscall=5 success=no
exit=-13 a0=8ca0017 a1=8000 a2=1b6 a3=8ca0048 items=1 pid=2369 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="mount.cifs"
exe="/sbin/mount.cifs"
type=AVC msg=audit(1143587542.871:23): avc:  denied  { read } for  pid=2376
comm="mount.cifs" name="cred" dev=sda3 ino=1086175
scontext=root:system_r:mount_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1143587542.871:23): arch=40000003 syscall=5 success=no
exit=-13 a0=9d96017 a1=8000 a2=1b6 a3=9d96048 items=1 pid=2376 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="mount.cifs"
exe="/sbin/mount.cifs"
type=AVC msg=audit(1143587610.598:26): avc:  denied  { read } for  pid=2403
comm="mount.cifs" name="cred" dev=sda3 ino=1086175
scontext=root:system_r:mount_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file

--------------------------------

Sorry for being dumb here: never dealt with reading an audit.log
Comment 3 Ignacio Vazquez-Abrams 2006-03-28 19:18:55 EST
Definitely a SELinux problem; reassigning.
Comment 4 Konstantin Ryabitsev 2006-03-31 14:34:55 EST
I don't see this problem -- I have the following entries in my /etc/fstab:

//gdb/test13 /mnt/webtest cifs
credentials=/etc/cifs-webtest,uid=icon,gid=icon,rw 0 0
//blues/wcg /mnt/blues cifs credentials=/etc/cifs-blues,uid=icon,gid=icon,rw 0 0

Both partitions get mounted on boot, however unmounting on reboot doesn't work.
Generally, these are the avc errors I'm seeing:

Mar 31 14:12:09 rakta kernel: avc:  denied  { } for  pid=3616 comm=umount
capability=7 scontext=system_u:system_r:mount_t
tcontext=system_u:system_r:mount_t tclass=capability
Mar 31 14:12:09 rakta kernel: avc:  denied  { } for  pid=3616 comm=umount
capability=6 scontext=system_u:system_r:mount_t
tcontext=system_u:system_r:mount_t tclass=capability
Mar 31 14:12:09 rakta kernel: avc:  denied  { } for  pid=3616 comm=umount.cifs
name="/" dev=cifs ino=2 scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:cifs_t tclass=filesystem

Anything I can help troubleshoot? Reboots are a bit of a mess at the moment. :)
Comment 5 Konstantin Ryabitsev 2006-03-31 14:42:55 EST
Sorry, seaudit seems to have mangled the output a bit. Here are the raw entries
from /var/log/messages:

Mar 31 14:12:09 rakta kernel: audit(1143832329.531:15): avc:  denied  { setuid }
for  pid=3617 comm="umount" capability=7 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=capability
Mar 31 14:12:09 rakta kernel: audit(1143832329.535:16): avc:  denied  { setgid }
for  pid=3617 comm="umount" capability=6 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=capability
Mar 31 14:12:09 rakta kernel: audit(1143832329.535:17): avc:  denied  { getattr
} for  pid=3617 comm="umount.cifs" name="/" dev=cifs ino=2
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:cifs_t:s0
tclass=filesystem
Comment 6 Toby Muhlhofer 2006-03-31 16:10:29 EST
Konstantin, looks I also have the same problem on shutdown when trying to umount
the cifs system as you do (in addition to the mounting problem). Umounting it as
root before shutting down again resolves this, but again this is not something
that can be done by an init script in any way, as SELinux won't let it.
Comment 7 Mike 2006-04-27 14:09:17 EDT
After today update these messages are gone:

: Mar 31 14:12:09 rakta kernel: audit(1143832329.531:15): avc:  denied  { setuid }
: Mar 31 14:12:09 rakta kernel: audit(1143832329.535:16): avc:  denied  { setgid }

this one left

: Mar 31 14:12:09 rakta kernel: audit(1143832329.535:17): avc:  denied  { getattr }
Comment 8 Daniel Walsh 2006-05-01 16:08:24 EDT
That is strange since that fix is also in the update.  Could you paste in the
exact message you are seeeing?

Comment 9 Mike 2006-05-04 16:05:44 EDT
I'm mountig filesystems from fstab in a home directory.
Ext3, fat32 works fine.

All mountpoints are: $ getfattr -m. -d /home/mike/storage
security.selinux="system_u:object_r:mnt_t:s0\000"

But for cifs i got:

audit(1146773144.833:2): avc:  denied  { getattr } for  pid=1470 comm=
"mount.cifs" name="mike" dev=hda5 ino=893376
scontext=system_u:system_r:mount_t:s0 tcontext=system_
u:object_r:user_home_dir_t:s0 tclass=dir

Yes, I can mount it in /mnt without a warning.
Looks like parent dir must be "mnt_t" for cifs.
Comment 10 Mike 2006-05-06 08:53:12 EDT
: Looks like parent dir must be "mnt_t" for cifs.
This don't help.
Comment 11 Daniel Walsh 2006-05-09 15:31:47 EDT
fixed in selinux-policy-2.2.38-1.FC5.

You need to turn on the boolean

setsebool -P allow_mount_anyfile=1
Comment 12 Mike 2006-05-15 13:02:28 EDT
problem fixed

where can I read more about "allow_mount_anyfile",
google lacks of results
Comment 13 Daniel Walsh 2006-05-15 13:41:21 EDT
No where it was just added.  We are hoping to add more docs on booleans and even
better make the tools smart enough to suggest turning on a boolean to allow a
certain access.

Note You need to log in before you can comment on or make changes to this bug.