Bug 212674 - Fedora is unable to mount /var/log after install
Summary: Fedora is unable to mount /var/log after install
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-10-27 22:26 UTC by Stephen John Smoogen
Modified: 2007-11-30 22:11 UTC (History)
3 users (show)

Fixed In Version: Current
Clone Of:
Environment:
Last Closed: 2006-11-28 20:52:43 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Stephen John Smoogen 2006-10-27 22:26:48 UTC
Description of problem:

During booting of FC6, we create a seperate /var/log/ partition for limits on
audit growth. After rebooting, FC6 complained that it could not mount volgroup03
and tried to mount it read-only. It could not do this either and various other
programs failed to start running (psacct) because their sub-directories were not
available. Was able to get system to boot by turning selinux off. Changed it
temporarily to just complain

Complaints are:

SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts
audit(1161986094.677:3): avc:  denied  { execute } for  pid=1227 comm="bash"
name="bash" dev=dm-0 ino=463972 scontext=system_u:system_r:rhgb_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
NET: Registered protocol family 10
lo: Disabled Privacy Extensions
IPv6 over IPv4 tunneling driver
ACPI: Power Button (FF) [PWRF]
ACPI: Power Button (CM) [VBTN]
md: Autodetecting RAID arrays.
md: autorun ...
md: ... autorun DONE.
device-mapper: multipath: version 1.0.4 loaded
EXT3 FS on dm-0, internal journal
audit(1161986103.613:4): avc:  denied  { mounton } for  pid=1357 comm="mount"
name="log" dev=dm-0 ino=1507330 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=dir

[The first one I don't know where it is yet. THe second is when it trying to
mount other sub-directories.]


Version-Release number of selected component (if applicable):

initscripts-8.45.3-1

How reproducible:

100% [Did 2 installs of FC6]

Steps to Reproduce:
1. Install FC6
2. Create a /var/log partition
3. Watch it fail to mount

Comment 1 Stephen John Smoogen 2006-10-27 22:35:56 UTC
[root@glasya ~]# audit2allow -d                       
allow mount_t var_log_t:dir mounton;
allow rhgb_t usr_t:file execute;

I forgot to add that.


Comment 2 Bill Nottingham 2006-10-28 03:05:09 UTC
This looks like it should be allowed by policy - reassigning. 

The rhgb one is odd, though - why is it trying to execute bash?

Comment 3 Ray Strode [halfline] 2006-10-29 06:26:15 UTC
the rhgb code is some loony thing I came up with and regretted later.

There should be an rhgb in testing soon that will drop that (and fix other issues)


Note You need to log in before you can comment on or make changes to this bug.