Bug 211827 - LSPP: Can't mount with additional contexts
LSPP: Can't mount with additional contexts
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: util-linux (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karel Zak
Ben Levenson
: Reopened
Depends On: 211857
Blocks: RHEL5LSPPCertTracker 227613
  Show dependency treegraph
 
Reported: 2006-10-23 09:10 EDT by Bastien Nocera
Modified: 2007-11-30 17:07 EST (History)
5 users (show)

See Also:
Fixed In Version: RC1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-08 10:34:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
IBM Linux Technology Center 28423 None None None Never

  None (edit)
Description Bastien Nocera 2006-10-23 09:10:49 EDT
# mount -o loop,context=root:object_r:root_t:s0:c1,c4 foo /mnt
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
       missing codepage or other error
       In some cases useful info is found in syslog - try
       dmesg | tail  or so

See discussion here for more details:
https://www.redhat.com/archives/redhat-lspp/2006-October/msg00208.html
Comment 2 Karel Zak 2006-10-23 10:07:51 EDT
The patches are waiting in my INBOX, but it's a surprise for me that we expect
this change in RHEL5 GA. My plan was add this feature to rawhide (fc7). 

The patch to nfsmount.c is useless -- in RHEL5 we use separate mount.nfs (from
the nfs-utils package) instead the old NFS from from util-linux. It means you
have to open a new IT/BZ request for nfs-utils too. (Please, assign to me --
I'll fix it in both packages.)
Comment 3 RHEL Product and Program Management 2006-10-24 14:31:35 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 7 Jay Turner 2006-11-14 09:09:50 EST
QE ack for RHEL5.
Comment 8 Karel Zak 2006-11-21 19:11:57 EST
Fixed in util-linux-2.13-0.43.1.el5, but without change in kernel (see bug
#211857) is not possible use selinux mount options at all.
Comment 9 RHEL Product and Program Management 2006-12-22 20:34:10 EST
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.
Comment 10 Klaus Heinrich Kiwi 2007-01-03 12:11:15 EST
Problem persists with lspp (2.6.18-1.2913.4.2.el5.lspp.59) kernel:


[root@rhel5lspp ~]# mount -v -o context="root:object_r:root_t:s0:c1,c4"
/dev/cdrom /mnt/cdrom/
mount: translated context 'root:object_r:root_t:s0:c1' to
'root:object_r:root_t:s0:c1'
mount: you didn't specify a filesystem type for /dev/cdrom
       I will try type iso9660
mount: block device /dev/cdrom is write-protected, mounting read-only
mount: translated context 'root:object_r:root_t:s0:c1' to
'root:object_r:root_t:s0:c1'
mount: wrong fs type, bad option, bad superblock on /dev/cdrom,
       missing codepage or other error
       In some cases useful info is found in syslog - try
       dmesg | tail  or so

(the same message above happens with/without quoting the context string)

[root@rhel5lspp ~]# rpm -q util-linux
util-linux-2.13-0.43.3.el5

please reopen the bug
Comment 11 Eric Paris 2007-01-04 16:53:14 EST
the userspace quotation checking must be flawed since it is dropping the ,c4

are there any messages in syslog or the audit log which may be related?  I would
have expected it to mount (although incorrectly) even with the ,c4 dropped...
Comment 12 Klaus Heinrich Kiwi 2007-01-05 07:10:52 EST
(In reply to comment #11)
> the userspace quotation checking must be flawed since it is dropping the ,c4
> 
> are there any messages in syslog or the audit log which may be related?  I would
> have expected it to mount (although incorrectly) even with the ,c4 dropped...

None! No messages are inserted in dmesg or /var/log/messages or event auditd.log.

But I must disagree with you: I would expect that the above command fails: Since
the userspace is dropping the ',c4' out of the complete context string, mount is
still probably trying to use it as one of the mount options (-o thing,thing,c4),
which is invalid, and then fails
Comment 13 Karel Zak 2007-01-05 07:59:01 EST
(In reply to comment #10)

> [root@rhel5lspp ~]# mount -v -o context="root:object_r:root_t:s0:c1,c4"

Please, be careful with quotes on shell command line ;-) You have to use:

 mount -v -o context=\"root:object_r:root_t:s0:c1,c4\"

It works as expected:

# mount -v -o context=\"root:object_r:root_t:s0:c1,c4\",ro -t ext3 /dev/loop0
/mnt/test
mount: translated context 'root:object_r:root_t:s0:c1,c4' to
'root:object_r:root_t:s0:c1,c4'
/dev/loop0 on /mnt/test type ext3 (ro,context="root:object_r:root_t:s0:c1,c4")

# mount | grep test
/dev/loop0 on /mnt/test type ext3 (ro,context="root:object_r:root_t:s0:c1,c4")

# uname -r
2.6.18-1.2961.el5

# rpm -q util-linux
util-linux-2.13-0.43.3.el5

Comment 14 Klaus Heinrich Kiwi 2007-01-05 08:23:13 EST
(In reply to comment #13)
> (In reply to comment #10)
> 
> > [root@rhel5lspp ~]# mount -v -o context="root:object_r:root_t:s0:c1,c4"
> 
> Please, be careful with quotes on shell command line ;-) You have to use:

I'm ashamed! Wasn't aware that mount needed the quotes itself. It's working as
expected.

 Please close the bug - thank you.

For the records: It appears that single-quotes aren't good enough (even
escaped). We _need_ to use double-quotes?
Comment 15 Karel Zak 2007-01-05 08:57:56 EST
Yes, it's the mount command that needs to extract selinux stuff from the option
string and quotes work as a separator between normal and selinux options. 

Don't forget that "," is generic separator for all mount options and all options
don't start with <name>= (for example ro -- read-only)

  context=root:object_r:root_t:s0:c1,c4,ro

where context=root:object_r:root_t:s0:c1,c4 is selinux and ro is normal option.
So, the right format is:

  context="root:object_r:root_t:s0:c1,c4",ro

(plus escape for your shell)

I don't remember who selected double-quotes instead single-quotes. IMHO it is
not so important. Your shell is sensitive for both.
Comment 17 RHEL Product and Program Management 2007-02-07 19:19:19 EST
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.
Comment 19 Klaus Heinrich Kiwi 2007-02-08 20:10:16 EST
Found a regression while performing the same testcase:

[root@alex ~]# mount -vo loop,context=\"root:object_r:root_t:s0:c1,c4\",ro
disk.img mountp/
mount: translated context 'root:object_r:root_t:s0:c1,c4' to
'root:object_r:root_t:s0:c1'
mount: going to use the loop device /dev/loop0
mount: you didn't specify a filesystem type for /dev/loop0
       I will try type ext3
/root/disk.img on /root/mountp type ext3
(ro,loop=/dev/loop0,context="root:object_r:root_t:s0:c1")
[root@alex ~]# ls -ldZ mountp/
drwxr-xr-x  root root root:object_r:root_t:s0:c1       mountp/
[root@alex ~]# mount | grep mountp
/root/disk.img on /root/mountp type ext3
(ro,loop=/dev/loop0,context="root:object_r:root_t:s0:c1")
[root@alex ~]# 

please re-open the bug
Comment 20 Karel Zak 2007-02-09 02:42:43 EST
(In reply to comment #19)
> Found a regression while performing the same testcase:
 
 ?

> mount: translated context 'root:object_r:root_t:s0:c1,c4' to
> 'root:object_r:root_t:s0:c1'

 Do you mean that root:object_r:root_t:s0:c1,c4 has been translated to
root:object_r:root_t:s0:c1 (the raw context is without 'c4') ?

Dwalsh, is it normal?

Comment 22 Daniel Walsh 2007-02-12 11:21:26 EST
Fixed in libselinux-1.33.4-3.el5.i386.rpm 
Comment 23 Daniel Walsh 2007-02-12 14:51:23 EST
Actually this turns out to be a mcstrans problem.

Fixed in mcstrans-0.2.2-1
Comment 24 Klaus Heinrich Kiwi 2007-02-13 07:09:40 EST
Confirmed fix in ppc64.
package list:

[root@zaphod ~]# rpm -qa | egrep 'policy|libselinux|mcstrans'
checkpolicy-1.33.1-2.el5
mcstrans-0.2.2-1.el5
libselinux-python-1.33.4-4.el5
selinux-policy-devel-2.4.6-37.el5
libselinux-devel-1.33.4-4.el5
libselinux-1.33.4-4.el5
policycoreutils-1.33.12-4.el5
selinux-policy-mls-2.4.6-37.el5
selinux-policy-2.4.6-37.el5
selinux-policy-targeted-2.4.6-37.el5
libselinux-1.33.4-4.el5
policycoreutils-newrole-1.33.12-4.el5
[root@zaphod ~]# 

Awaiting official release to close bug
Comment 25 Steve Grubb 2007-03-07 17:56:21 EST
Klaus, is this bug fixed in util-linux-2.13-0.44? Can this be closed?
Comment 26 Klaus Heinrich Kiwi 2007-03-07 19:04:11 EST
(In reply to comment #25)
> Klaus, is this bug fixed in util-linux-2.13-0.44? Can this be closed?

Steve,

 everything seems fine:
[root/sysadm_r/SystemLow@bracer2 ~]# chcon -t mount_tmp_t boot.iso
[root/sysadm_r/SystemLow@bracer2 ~]# mount -vo
loop,context=\"root:object_r:root_t:s0:c1,c4\",ro boot.iso /media/cdrom/
mount: translated context 'root:object_r:root_t:s0:c1,c4' to
'root:object_r:root_t:s0:c1,c4'
mount: going to use the loop device /dev/loop0
mount: you didn't specify a filesystem type for /dev/loop0
       I will try type iso9660
/root/boot.iso on /media/cdrom type iso9660
(ro,loop=/dev/loop0,context="root:object_r:root_t:s0:c1,c4")
[root/sysadm_r/SystemLow@bracer2 ~]# mount
/dev/mapper/VolGroup00-LvRoot on / type ext3 (rw,user_xattr,acl)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw,user_xattr,acl)
tmpfs on /dev/shm type tmpfs (rw)
/dev/mapper/VolGroup00-LvHome on /home type ext3 (rw,user_xattr,acl)
/dev/mapper/VolGroup00-LvLogs on /var/log type ext3 (rw,user_xattr,acl)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
/root/boot.iso on /media/cdrom type iso9660
(ro,loop=/dev/loop0,context="root:object_r:root_t:s0:c1,c4")
[root/sysadm_r/SystemLow@bracer2 ~]# ls -lZ /media/
drwxr-sr-x  root root root:object_r:root_t:s0:c1,c4    cdrom
[root/sysadm_r/SystemLow@bracer2 ~]#  

relevant packages:
[root/sysadm_r/SystemLow@bracer2 ~]# rpm -qa | egrep
'libselinux|util-linux|kernel|mcstrans'
mcstrans-0.2.3-1.el5
libselinux-python-1.33.4-4.el5
kernel-headers-2.6.18-8.el5
kernel-2.6.18-8.el5
kernel-devel-2.6.18-8.el5
kernel-devel-2.6.18-8.el5.lspp.67
libselinux-1.33.4-4.el5
libselinux-1.33.4-4.el5
libselinux-devel-1.33.4-4.el5
util-linux-2.13-0.44.el5
kernel-2.6.18-8.el5.lspp.67


Since we already got problems with the context size, maybe it would be a good
idea to test mount against a context with a large number of categories.

I'll check if we have such testcase here.
Comment 27 Steve Grubb 2007-03-08 10:34:12 EST
Closing this as its believed to be fixed.

Note You need to log in before you can comment on or make changes to this bug.