Does 

tmpfs /tmp tmpfs context=system_u:object_r:tmp_t:s0 0 0

work?

(In reply to comment #1)

> tmpfs /tmp tmpfs context=system_u:object_r:tmp_t:s0 0 0

Works.

In "man mount" there is an example for this option:
    A commonly used  option  for  removable  media  is
    context=system_u:object_r:removable_t
If this is not a bug at least there should be
    context=system_u:object_r:removable_t:s0
so a user could figure it out himself.

Yes this is a bug in mount command.  It should be doing the translation to allow
either to work.

The mount command in FC5 supports context translation. (Try mount with -v
option.) I cannot reproduce this problem. It works as expected.

# grep context /etc/fstab
tmpfs                   /mnt/tmp                tmpfs 
context=system_u:object_r:tmp_t 0 0

# mount -v  /mnt/tmp
mount: translated context 'system_u:object_r:tmp_t' to 'system_u:object_r:tmp_t:s0'
tmpfs on /mnt/tmp type tmpfs (rw,context=system_u:object_r:tmp_t:s0)

# tail -1 /var/log/messages
Oct  5 13:11:03 petra kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses
mountpoint labeling

# rpm -q selinux-policy-targeted util-linux
selinux-policy-targeted-2.3.7-2.fc5
util-linux-2.13-0.20.4

# getenforce
Permissive

# uname -r
2.6.17-1.2187_FC5

(In reply to comment #4)

> The mount command in FC5 supports context translation. (Try mount with -v
> option.) I cannot reproduce this problem.

It works if mounted by hand, as I've mentioned in "Additional info".
But it doesn't work _during_reboot_.

I have no idea what is different during boot... it's still the same mount
command. Daniel? Bill? Is there anything for SELinxu what should be initialized
before the mount call in /etc/rc.d/rc.sysinit.

Do you see any avc messages generated by mount on boot?  There should be no
difference. 

The problem I thought this was showing was that when mount read the /etc/fstab
it was not doing the translation as opposed to doing 

mount -o context=...

The only different message I see i dmesg output and /var/log/messages is:
When s0 is used:
    SELinux: initialized (dev tmpfs, type tmpfs),
    uses mountpoint labeling
When s0 is not used:
    SELinux: security_context_to_sid(system_u:object_r:tmp_t)
    failed for (dev tmpfs, type tmpfs) errno=-22
    SELinux: security_context_to_sid(system_u:object_r:tmp_t)
    failed for (dev tmpfs, type tmpfs) errno=-22
(Yes, this message is shown two times).

There are no differences in /var/log/audit/audit.log.

(All this ignores differences in timestamps, pids, irqs etc.)

I think I know what is the cause. When I've unmounted /selinux then mount by
hand also did not work. Try:

Add to /etc/fstab:
tmpfs /tmp tmpfs context=system_u:object_r:tmp_t 0 0

# umount /selinux
# mount /tmp
mount: wrong fs type, bad option, bad superblock on tmpfs,
       missing codepage or other error
       In some cases useful info is found in syslog - try
       dmesg | tail  or so
(also there is "security_context_to_sid... failed" message in /var/log/messages)
# mount -t selinuxfs none /selinux
# mount /tmp
(now works)

But /selinux gets mounted in /sbin/init, so it should be mounted by the time
initscripts run.

umount /selinux 
mount /tmp

Is fooling the mount command into the fact that /selinux is not running so it
gices you the error message.

But if there is in /etc/fstab:
    tmpfs /tmp tmpfs context=system_u:object_r:tmp_t:s0 0 0
then "mount /tmp" works even when "/selinux" is unmounted.

Ok, then that means it is not able to translate the context with out the /selinux.

But again why is /selinux not mounted during your boot up?

(In reply to comment #12)

> But again why is /selinux not mounted during your boot up?

It is mounted _after_ boot up for sure. I haven't found where is it mounted in
init scripts and I think the kernel is mounting it automatically when selinux is
enabled in its config. So maybe it is mounted but mount is not able to read it?

I've changed "SELINUX" option in /etc/sysconfig/selinux to "permissive" and now
mount during reboot works even when there is no ":s0" in /etc/fstab. So I've
enabled auditing all errors by:
    semodule -b /usr/share/selinux/targeted/enableaudit.pp
And now I have the following extra audit messages for "mount" during boot:

    audit(1160063375.922:27): avc:  denied  { read }
    for pid=1073 comm="mount" name="config" dev=hda1 ino=683828
    scontext=system_u:system_r:mount_t:s0
    tcontext=system_u:object_r:selinux_config_t:s0 tclass=file

    audit(1160063375.922:28): avc:  denied  { getattr }
    for  pid=1073 comm="mount" name="config" dev=hda1 ino=683828
    scontext=system_u:system_r:mount_t:s0
    tcontext=system_u:object_r:selinux_config_t:s0 tclass=file

Ok, add those rules to local policy via

grep mount_t /var/log/messages | audit2allow -M mount 
semodule -i mount.pp
reboot
and see if it works in enforcing mode.

Yes, adding
    allow mount_t selinux_config_t:file { getattr read };
to local policy makes it work during reboot.

Can you close this bug report? It doesn't seem like util-linux problem.

This bug is still present in FC5 so I'll just change component back to
selinux-policy.

All of these bugs should be fixed in FC6,  You could attempt to use the FC6
policy on FC5 or upgrade.  Or you could use 

audit2allow -M mypolicy -i /var/log/audit/audit.log 
and build local customized policy

FYI: I see this same problem on RHEL5-latest (as of 2011/03/24):

Mar 24 09:36:55 asav1 kernel: SELinux: security_context_to_sid(system_u:object_r:amavis_var_lib_t) failed for (dev tmpfs, type tmpfs) errno=-22

on boot with this /etc/fstab entry:

tmpfs  /var/amavis/tmp tmpfs defaults,size=4G,noexec,nodev,nosuid,mode=750,uid=510,gid=510,context=system_u:object_r:amavis_var_lib_t 0 0


and successfull mount during boot if I add the :s0:

tmpfs  /var/amavis/tmp tmpfs defaults,size=4G,noexec,nodev,nosuid,mode=750,uid=510,gid=510,context=system_u:object_r:amavis_var_lib_t:s0 0 0