Description of problem: In my /etc/fstab I have a line for a cifs filesystem which I want mounted at boot time. I use the -o credentials=<cred-file> option so I can put my username and password in a safe place. When trying to mount the filesystem at boot time, I get the following error: error 13, unable to open <cred-file>. Same result if I put a line which manually mounts the filesystem into /etc/rc.local. Changing the read permissions or location for the file has no effect. If, when the system is up and running, I mount the filesystem by hand (as root), it works. This only happened after my upgrade from fc4 to fc5. Worked fine in fc4. Version-Release number of selected component (if applicable): initscripts-8.31.1-1 How reproducible: Always. Steps to Reproduce: 1. Put a line for a cifs into /etc/fstab or a line mounting a cifs by hand into rc.local, either of which refers to a credentials file. 2. Boot 3. Actual results: Fails, saying error 13, can't access credentials file. Expected results: Mounts the file system. Additional info: I'm filing this under initscripts, but this might be an selinux issue: not sure.
Do you see any AVC denials in /var/log/audit/audit.log referring to an appropriate command (e.g., mount)?
Something like this? ---------------------- type=SYSCALL msg=audit(1143587525.243:20): arch=40000003 syscall=5 success=no exit=-13 a0=8ca0017 a1=8000 a2=1b6 a3=8ca0048 items=1 pid=2369 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="mount.cifs" exe="/sbin/mount.cifs" type=AVC msg=audit(1143587542.871:23): avc: denied { read } for pid=2376 comm="mount.cifs" name="cred" dev=sda3 ino=1086175 scontext=root:system_r:mount_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1143587542.871:23): arch=40000003 syscall=5 success=no exit=-13 a0=9d96017 a1=8000 a2=1b6 a3=9d96048 items=1 pid=2376 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="mount.cifs" exe="/sbin/mount.cifs" type=AVC msg=audit(1143587610.598:26): avc: denied { read } for pid=2403 comm="mount.cifs" name="cred" dev=sda3 ino=1086175 scontext=root:system_r:mount_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file -------------------------------- Sorry for being dumb here: never dealt with reading an audit.log
Definitely a SELinux problem; reassigning.
I don't see this problem -- I have the following entries in my /etc/fstab: //gdb/test13 /mnt/webtest cifs credentials=/etc/cifs-webtest,uid=icon,gid=icon,rw 0 0 //blues/wcg /mnt/blues cifs credentials=/etc/cifs-blues,uid=icon,gid=icon,rw 0 0 Both partitions get mounted on boot, however unmounting on reboot doesn't work. Generally, these are the avc errors I'm seeing: Mar 31 14:12:09 rakta kernel: avc: denied { } for pid=3616 comm=umount capability=7 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t tclass=capability Mar 31 14:12:09 rakta kernel: avc: denied { } for pid=3616 comm=umount capability=6 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t tclass=capability Mar 31 14:12:09 rakta kernel: avc: denied { } for pid=3616 comm=umount.cifs name="/" dev=cifs ino=2 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:cifs_t tclass=filesystem Anything I can help troubleshoot? Reboots are a bit of a mess at the moment. :)
Sorry, seaudit seems to have mangled the output a bit. Here are the raw entries from /var/log/messages: Mar 31 14:12:09 rakta kernel: audit(1143832329.531:15): avc: denied { setuid } for pid=3617 comm="umount" capability=7 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:mount_t:s0 tclass=capability Mar 31 14:12:09 rakta kernel: audit(1143832329.535:16): avc: denied { setgid } for pid=3617 comm="umount" capability=6 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:mount_t:s0 tclass=capability Mar 31 14:12:09 rakta kernel: audit(1143832329.535:17): avc: denied { getattr } for pid=3617 comm="umount.cifs" name="/" dev=cifs ino=2 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:cifs_t:s0 tclass=filesystem
Konstantin, looks I also have the same problem on shutdown when trying to umount the cifs system as you do (in addition to the mounting problem). Umounting it as root before shutting down again resolves this, but again this is not something that can be done by an init script in any way, as SELinux won't let it.
After today update these messages are gone: : Mar 31 14:12:09 rakta kernel: audit(1143832329.531:15): avc: denied { setuid } : Mar 31 14:12:09 rakta kernel: audit(1143832329.535:16): avc: denied { setgid } this one left : Mar 31 14:12:09 rakta kernel: audit(1143832329.535:17): avc: denied { getattr }
That is strange since that fix is also in the update. Could you paste in the exact message you are seeeing?
I'm mountig filesystems from fstab in a home directory. Ext3, fat32 works fine. All mountpoints are: $ getfattr -m. -d /home/mike/storage security.selinux="system_u:object_r:mnt_t:s0\000" But for cifs i got: audit(1146773144.833:2): avc: denied { getattr } for pid=1470 comm= "mount.cifs" name="mike" dev=hda5 ino=893376 scontext=system_u:system_r:mount_t:s0 tcontext=system_ u:object_r:user_home_dir_t:s0 tclass=dir Yes, I can mount it in /mnt without a warning. Looks like parent dir must be "mnt_t" for cifs.
: Looks like parent dir must be "mnt_t" for cifs. This don't help.
fixed in selinux-policy-2.2.38-1.FC5. You need to turn on the boolean setsebool -P allow_mount_anyfile=1
problem fixed where can I read more about "allow_mount_anyfile", google lacks of results
No where it was just added. We are hoping to add more docs on booleans and even better make the tools smart enough to suggest turning on a boolean to allow a certain access.