Bug 208561 - context option for tmpfs mount in /etc/fstab: security_context_to_sid failed during reboot
context option for tmpfs mount in /etc/fstab: security_context_to_sid failed ...
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-29 08:57 EDT by Tomasz Ostrowski
Modified: 2011-03-24 04:51 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-14 10:16:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomasz Ostrowski 2006-09-29 08:57:23 EDT
When there is a "context" option for tmpfs mount configured in /etc/fstab the
mount does not occur during reboot.

The following message is logged to /var/log/messages:
kernel: SELinux: security_context_to_sid([context]) failed for (dev tmpfs, type
tmpfs) errno=-22

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.3.7-2.fc5
util-linux-2.13-0.20.4
initscripts-7.42.2-1

How reproducible:
Always

Steps to Reproduce:
1. Add the following line to /etc/fstab:
tmpfs /tmp tmpfs context=system_u:object_r:tmp_t 0 0
2. Reboot
  
Actual results:
/tmp not mounted
This message logged to /var/log/messages:
kernel: SELinux: security_context_to_sid(system_u:object_r:tmp_t) failed for
(dev tmpfs, type tmpfs) errno=-22

Expected results:
/tmp mounted

Additional info:
It works when /tmp is later mounted by hand:
    mount /tmp
Comment 1 Daniel Walsh 2006-09-29 12:18:06 EDT
Does 

tmpfs /tmp tmpfs context=system_u:object_r:tmp_t:s0 0 0

work?
Comment 2 Tomasz Ostrowski 2006-09-30 07:53:59 EDT
(In reply to comment #1)

> tmpfs /tmp tmpfs context=system_u:object_r:tmp_t:s0 0 0

Works.

In "man mount" there is an example for this option:
    A commonly used  option  for  removable  media  is
    context=system_u:object_r:removable_t
If this is not a bug at least there should be
    context=system_u:object_r:removable_t:s0
so a user could figure it out himself.
Comment 3 Daniel Walsh 2006-10-02 14:27:27 EDT
Yes this is a bug in mount command.  It should be doing the translation to allow
either to work.
Comment 4 Karel Zak 2006-10-05 07:16:51 EDT
The mount command in FC5 supports context translation. (Try mount with -v
option.) I cannot reproduce this problem. It works as expected.

# grep context /etc/fstab
tmpfs                   /mnt/tmp                tmpfs 
context=system_u:object_r:tmp_t 0 0

# mount -v  /mnt/tmp
mount: translated context 'system_u:object_r:tmp_t' to 'system_u:object_r:tmp_t:s0'
tmpfs on /mnt/tmp type tmpfs (rw,context=system_u:object_r:tmp_t:s0)

# tail -1 /var/log/messages
Oct  5 13:11:03 petra kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses
mountpoint labeling

# rpm -q selinux-policy-targeted util-linux
selinux-policy-targeted-2.3.7-2.fc5
util-linux-2.13-0.20.4

# getenforce
Permissive

# uname -r
2.6.17-1.2187_FC5


Comment 5 Tomasz Ostrowski 2006-10-05 07:31:55 EDT
(In reply to comment #4)

> The mount command in FC5 supports context translation. (Try mount with -v
> option.) I cannot reproduce this problem.

It works if mounted by hand, as I've mentioned in "Additional info".
But it doesn't work _during_reboot_.
Comment 6 Karel Zak 2006-10-05 08:13:25 EDT
I have no idea what is different during boot... it's still the same mount
command. Daniel? Bill? Is there anything for SELinxu what should be initialized
before the mount call in /etc/rc.d/rc.sysinit.
Comment 7 Daniel Walsh 2006-10-05 08:24:33 EDT
Do you see any avc messages generated by mount on boot?  There should be no
difference. 

The problem I thought this was showing was that when mount read the /etc/fstab
it was not doing the translation as opposed to doing 

mount -o context=...
Comment 8 Tomasz Ostrowski 2006-10-05 10:20:56 EDT
The only different message I see i dmesg output and /var/log/messages is:
When s0 is used:
    SELinux: initialized (dev tmpfs, type tmpfs),
    uses mountpoint labeling
When s0 is not used:
    SELinux: security_context_to_sid(system_u:object_r:tmp_t)
    failed for (dev tmpfs, type tmpfs) errno=-22
    SELinux: security_context_to_sid(system_u:object_r:tmp_t)
    failed for (dev tmpfs, type tmpfs) errno=-22
(Yes, this message is shown two times).

There are no differences in /var/log/audit/audit.log.

(All this ignores differences in timestamps, pids, irqs etc.)
Comment 9 Tomasz Ostrowski 2006-10-05 10:36:16 EDT
I think I know what is the cause. When I've unmounted /selinux then mount by
hand also did not work. Try:

Add to /etc/fstab:
tmpfs /tmp tmpfs context=system_u:object_r:tmp_t 0 0

# umount /selinux
# mount /tmp
mount: wrong fs type, bad option, bad superblock on tmpfs,
       missing codepage or other error
       In some cases useful info is found in syslog - try
       dmesg | tail  or so
(also there is "security_context_to_sid... failed" message in /var/log/messages)
# mount -t selinuxfs none /selinux
# mount /tmp
(now works)
Comment 10 Daniel Walsh 2006-10-05 10:59:57 EDT
But /selinux gets mounted in /sbin/init, so it should be mounted by the time
initscripts run.

umount /selinux 
mount /tmp

Is fooling the mount command into the fact that /selinux is not running so it
gices you the error message.
Comment 11 Tomasz Ostrowski 2006-10-05 11:14:22 EDT
But if there is in /etc/fstab:
    tmpfs /tmp tmpfs context=system_u:object_r:tmp_t:s0 0 0
then "mount /tmp" works even when "/selinux" is unmounted.
Comment 12 Daniel Walsh 2006-10-05 11:21:43 EDT
Ok, then that means it is not able to translate the context with out the /selinux.

But again why is /selinux not mounted during your boot up?
Comment 13 Tomasz Ostrowski 2006-10-05 11:53:47 EDT
(In reply to comment #12)

> But again why is /selinux not mounted during your boot up?

It is mounted _after_ boot up for sure. I haven't found where is it mounted in
init scripts and I think the kernel is mounting it automatically when selinux is
enabled in its config. So maybe it is mounted but mount is not able to read it?

I've changed "SELINUX" option in /etc/sysconfig/selinux to "permissive" and now
mount during reboot works even when there is no ":s0" in /etc/fstab. So I've
enabled auditing all errors by:
    semodule -b /usr/share/selinux/targeted/enableaudit.pp
And now I have the following extra audit messages for "mount" during boot:

    audit(1160063375.922:27): avc:  denied  { read }
    for pid=1073 comm="mount" name="config" dev=hda1 ino=683828
    scontext=system_u:system_r:mount_t:s0
    tcontext=system_u:object_r:selinux_config_t:s0 tclass=file

    audit(1160063375.922:28): avc:  denied  { getattr }
    for  pid=1073 comm="mount" name="config" dev=hda1 ino=683828
    scontext=system_u:system_r:mount_t:s0
    tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
Comment 14 Daniel Walsh 2006-10-05 12:04:39 EDT
Ok, add those rules to local policy via

grep mount_t /var/log/messages | audit2allow -M mount 
semodule -i mount.pp
reboot
and see if it works in enforcing mode.

Comment 15 Tomasz Ostrowski 2006-10-05 15:25:27 EDT
Yes, adding
    allow mount_t selinux_config_t:file { getattr read };
to local policy makes it work during reboot.
Comment 16 Karel Zak 2006-11-01 09:18:35 EST
Can you close this bug report? It doesn't seem like util-linux problem.
Comment 17 Tomasz Ostrowski 2006-11-02 04:27:42 EST
This bug is still present in FC5 so I'll just change component back to
selinux-policy.
Comment 18 Daniel Walsh 2007-02-14 10:16:55 EST
All of these bugs should be fixed in FC6,  You could attempt to use the FC6
policy on FC5 or upgrade.  Or you could use 

audit2allow -M mypolicy -i /var/log/audit/audit.log 
and build local customized policy
Comment 19 Jan-Frode Myklebust 2011-03-24 04:51:44 EDT
FYI: I see this same problem on RHEL5-latest (as of 2011/03/24):

Mar 24 09:36:55 asav1 kernel: SELinux: security_context_to_sid(system_u:object_r:amavis_var_lib_t) failed for (dev tmpfs, type tmpfs) errno=-22

on boot with this /etc/fstab entry:

tmpfs  /var/amavis/tmp tmpfs defaults,size=4G,noexec,nodev,nosuid,mode=750,uid=510,gid=510,context=system_u:object_r:amavis_var_lib_t 0 0


and successfull mount during boot if I add the :s0:

tmpfs  /var/amavis/tmp tmpfs defaults,size=4G,noexec,nodev,nosuid,mode=750,uid=510,gid=510,context=system_u:object_r:amavis_var_lib_t:s0 0 0

Note You need to log in before you can comment on or make changes to this bug.