When there is a "context" option for tmpfs mount configured in /etc/fstab the mount does not occur during reboot. The following message is logged to /var/log/messages: kernel: SELinux: security_context_to_sid([context]) failed for (dev tmpfs, type tmpfs) errno=-22 Version-Release number of selected component (if applicable): selinux-policy-targeted-2.3.7-2.fc5 util-linux-2.13-0.20.4 initscripts-7.42.2-1 How reproducible: Always Steps to Reproduce: 1. Add the following line to /etc/fstab: tmpfs /tmp tmpfs context=system_u:object_r:tmp_t 0 0 2. Reboot Actual results: /tmp not mounted This message logged to /var/log/messages: kernel: SELinux: security_context_to_sid(system_u:object_r:tmp_t) failed for (dev tmpfs, type tmpfs) errno=-22 Expected results: /tmp mounted Additional info: It works when /tmp is later mounted by hand: mount /tmp
Does tmpfs /tmp tmpfs context=system_u:object_r:tmp_t:s0 0 0 work?
(In reply to comment #1) > tmpfs /tmp tmpfs context=system_u:object_r:tmp_t:s0 0 0 Works. In "man mount" there is an example for this option: A commonly used option for removable media is context=system_u:object_r:removable_t If this is not a bug at least there should be context=system_u:object_r:removable_t:s0 so a user could figure it out himself.
Yes this is a bug in mount command. It should be doing the translation to allow either to work.
The mount command in FC5 supports context translation. (Try mount with -v option.) I cannot reproduce this problem. It works as expected. # grep context /etc/fstab tmpfs /mnt/tmp tmpfs context=system_u:object_r:tmp_t 0 0 # mount -v /mnt/tmp mount: translated context 'system_u:object_r:tmp_t' to 'system_u:object_r:tmp_t:s0' tmpfs on /mnt/tmp type tmpfs (rw,context=system_u:object_r:tmp_t:s0) # tail -1 /var/log/messages Oct 5 13:11:03 petra kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses mountpoint labeling # rpm -q selinux-policy-targeted util-linux selinux-policy-targeted-2.3.7-2.fc5 util-linux-2.13-0.20.4 # getenforce Permissive # uname -r 2.6.17-1.2187_FC5
(In reply to comment #4) > The mount command in FC5 supports context translation. (Try mount with -v > option.) I cannot reproduce this problem. It works if mounted by hand, as I've mentioned in "Additional info". But it doesn't work _during_reboot_.
I have no idea what is different during boot... it's still the same mount command. Daniel? Bill? Is there anything for SELinxu what should be initialized before the mount call in /etc/rc.d/rc.sysinit.
Do you see any avc messages generated by mount on boot? There should be no difference. The problem I thought this was showing was that when mount read the /etc/fstab it was not doing the translation as opposed to doing mount -o context=...
The only different message I see i dmesg output and /var/log/messages is: When s0 is used: SELinux: initialized (dev tmpfs, type tmpfs), uses mountpoint labeling When s0 is not used: SELinux: security_context_to_sid(system_u:object_r:tmp_t) failed for (dev tmpfs, type tmpfs) errno=-22 SELinux: security_context_to_sid(system_u:object_r:tmp_t) failed for (dev tmpfs, type tmpfs) errno=-22 (Yes, this message is shown two times). There are no differences in /var/log/audit/audit.log. (All this ignores differences in timestamps, pids, irqs etc.)
I think I know what is the cause. When I've unmounted /selinux then mount by hand also did not work. Try: Add to /etc/fstab: tmpfs /tmp tmpfs context=system_u:object_r:tmp_t 0 0 # umount /selinux # mount /tmp mount: wrong fs type, bad option, bad superblock on tmpfs, missing codepage or other error In some cases useful info is found in syslog - try dmesg | tail or so (also there is "security_context_to_sid... failed" message in /var/log/messages) # mount -t selinuxfs none /selinux # mount /tmp (now works)
But /selinux gets mounted in /sbin/init, so it should be mounted by the time initscripts run. umount /selinux mount /tmp Is fooling the mount command into the fact that /selinux is not running so it gices you the error message.
But if there is in /etc/fstab: tmpfs /tmp tmpfs context=system_u:object_r:tmp_t:s0 0 0 then "mount /tmp" works even when "/selinux" is unmounted.
Ok, then that means it is not able to translate the context with out the /selinux. But again why is /selinux not mounted during your boot up?
(In reply to comment #12) > But again why is /selinux not mounted during your boot up? It is mounted _after_ boot up for sure. I haven't found where is it mounted in init scripts and I think the kernel is mounting it automatically when selinux is enabled in its config. So maybe it is mounted but mount is not able to read it? I've changed "SELINUX" option in /etc/sysconfig/selinux to "permissive" and now mount during reboot works even when there is no ":s0" in /etc/fstab. So I've enabled auditing all errors by: semodule -b /usr/share/selinux/targeted/enableaudit.pp And now I have the following extra audit messages for "mount" during boot: audit(1160063375.922:27): avc: denied { read } for pid=1073 comm="mount" name="config" dev=hda1 ino=683828 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file audit(1160063375.922:28): avc: denied { getattr } for pid=1073 comm="mount" name="config" dev=hda1 ino=683828 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
Ok, add those rules to local policy via grep mount_t /var/log/messages | audit2allow -M mount semodule -i mount.pp reboot and see if it works in enforcing mode.
Yes, adding allow mount_t selinux_config_t:file { getattr read }; to local policy makes it work during reboot.
Can you close this bug report? It doesn't seem like util-linux problem.
This bug is still present in FC5 so I'll just change component back to selinux-policy.
All of these bugs should be fixed in FC6, You could attempt to use the FC6 policy on FC5 or upgrade. Or you could use audit2allow -M mypolicy -i /var/log/audit/audit.log and build local customized policy
FYI: I see this same problem on RHEL5-latest (as of 2011/03/24): Mar 24 09:36:55 asav1 kernel: SELinux: security_context_to_sid(system_u:object_r:amavis_var_lib_t) failed for (dev tmpfs, type tmpfs) errno=-22 on boot with this /etc/fstab entry: tmpfs /var/amavis/tmp tmpfs defaults,size=4G,noexec,nodev,nosuid,mode=750,uid=510,gid=510,context=system_u:object_r:amavis_var_lib_t 0 0 and successfull mount during boot if I add the :s0: tmpfs /var/amavis/tmp tmpfs defaults,size=4G,noexec,nodev,nosuid,mode=750,uid=510,gid=510,context=system_u:object_r:amavis_var_lib_t:s0 0 0