Description of problem: When trying to mount a dvd and enforce a context for the files, mount fails with an error message: SELinux: security_context_to_sid("system_u:object_r:tmp_t:s0-s0:c0.c1023") failed for (dev hdc, type iso9660) errno=-22 Version-Release number of selected component (if applicable): RHEL5 beta2 2006-12-01 refresh. uname -a: Linux beta2_20061201.ks-0_13 2.6.18-1.2840.2.1.el5.lspp.57 #1 SMP Fri Dec 8 17:28:15 EST 2006 i686 i686 i386 GNU/Linux (Using lspp .57 kernel but also has also verified against stock el5 kernel) Relevant packages: [root@beta2_20061201 mnt]# rpm -qa | egrep "pam|selinux|policy|kernel" pam_passwdqc-1.0.2-1.2.2 libselinux-1.33.2-1.el5 pam_ccreds-3-5 policycoreutils-newrole-1.33.5-4.el5 pam-0.99.6.2-3.6.el5 pam-devel-0.99.6.2-3.6.el5 selinux-policy-strict-2.4.6-11.el5 libselinux-python-1.33.2-1.el5 policycoreutils-1.33.5-4.el5 pam_pkcs11-0.5.3-22 pam_krb5-2.2.11-1 selinux-policy-targeted-2.4.6-11.el5 selinux-policy-mls-2.4.6-11.el5 libselinux-devel-1.33.2-1.el5 kernel-2.6.18-1.2840.2.1.el5.lspp.57 checkpolicy-1.33.1-2.el5 kernel-headers-2.6.18-1.2767.el5 pam_smb-1.1.7-7.2.1 kernel-devel-2.6.18-1.2840.2.1.el5.lspp.57 selinux-policy-2.4.6-11.el5 selinux-policy-devel-2.4.6-11.el5 [root@beta2_20061201 mnt]# How reproducible: Always Steps to Reproduce: 1. Insert RHEL5-2006-12-01 DVD (or any other medium) into dvd drive 2. Mount cdrom into a mouting point. Specify the context to use with '-o context=' (also tested with fscontext with the same results) mount -o context=system_u:object_r:tmp_t:s0-s0:c0.c1023 /dev/cdrom /mnt/cdrom 3. Check dmesg | tail for SELinux error messages - These messages are also echoed in the console Actual results: mount: block device /dev/cdrom is write-protected, mounting read-only SELinux: security_context_to_sid("system_u:object_r:tmp_t:s0-s0:c0.c1023") failed for (dev hdc, type iso9660) errno=-22 mount: wrong fs type, bad option, bad superblock on /dev/cdrom, missing codepage or other error In some cases useful info is found in syslog - try dmesg | tail or so [root@beta2_20061201 mnt]# echo $? 32 Expected results: a mounted filesystem. The files must use the specified context [root@beta2_20061201 mnt]# echo $? 0 Additional info: Using mls policy in enforcing mode. No AVC messages were issued with the command execution. Previous refreshes appeared to work fine in this matter.
The error message generally indicates that the provided context is invalid, but the context shown above appears valid and the bug reporter said he also tried passing the same context to a chcon command, which accepted it (which means that the kernel ultimately accepted it via setxattr). Suggests a problem in either the SELinux context mount option processing or in the way mount is passing the options to the kernel (could be corrupted in transit by the translation daemon, although the kernel output looked ok). I was unable to reproduce on a FC6 box with targeted policy, but naturally the bug is against RHEL 5 with MLS policy. If it were a policy issue, I would have expected the chcon to have failed too. So I think it must lie in the code, either in mount, mcstransd, or the kernel.
The kernel output shown in the bug report shows the context in quotes. But the kernel printk statement does not wrap the context string with quotes (at least upstream), so that suggests that the context passed to the kernel had quotes around it, which it has never accepted. Problem in mount program? BTW, on FC6, the following command "appears" to succeed, but is not working correctly: mount -t nfs -o context=system_u:object_r:tmp_t:s0 host:/dir /foo The context doesn't appear to even be conveyed to the kernel by the mount program in the NFS case anymore. Did the patches to mount get reverted in recent updates?
Sorry, mistake on my part - the patch for handling category sets in context mount options (upstreamed in 2.6.19) did add support for quoting the context to handle the commas within the category set, and the quotes should be stripped by take_selinux_option(). Does the RHEL 5 kernel include that patch back ported from 2.6.19? Even so, not sure that mount should automatically be inserting the quotes or how it would internally disambiguate the commas - seems like the user has to specify that. Also not sure about the NFS mount issue - that seems like a separate bug, since the nfs mount handling uses binary data for the mount options.
It was backported, but isn't in until 2.6.18-1.2876 which was only built yesterday. Is this bug simply a problem of userspace being faster than the kernel? When we ship GA it should have both halves of the fix.
Seems a bit dangerous to me to have mount automatically inserting quotes on the user's behalf particularly if a different kernel might not understand them. And how does it know where to put the quotes, e.g. if the user specifies: mount -o context=a:b:c:d,j,z does that get mapped to context="a:b:c:d",j,z (where j and z may be other mount options) or context="a:b:c:d,j,z" (where j and z might be categories). How would mount know? Seems like mount should stay out of it and let the user quote the context string. Also, separate from this issue of quoting, NFS context mount support seems to be completely missing, at least in Fedora. This would represent a regression from RHEL 4. The diffs to nfsmount.c are just gone (needs NFS_MOUNT_VERSION 6 and setting of the ->context field in the struct, which was part of the original patches, and then there were further diffs for the quoted string support). What happened to them?
Ok, second part of my comment is a bug-in-me ;) Forgot that nfsmount moved from util-linux to nfs-utils and the patches moved along with it, and the behavior I was seeing was due to the fact that I had a lingering bind mount within the NFS filesystem still present, such that any further context mount options were just ignored. Sorry. Not sure though whether the quoting support for nfsmount made it into that package - I don't see the open_quote changes to parse_options() that were in Cory Olmo's original patch set. So that takes us back to just how mount and nfsmount handle quotes.
Ok, the first part of my comment isn't quite right either ;) mount does rely on the user to quote the original string if it contains commas in order to know the end of the string, but then strips the quotes, passes to translation, and then automatically re-quotes the translated string in case it contains commas. Which makes sense (although is unnecessary _unless_ the translated string actually contains commas, so it could do a simple test for that and skip the quoting in that case). So I'd suggest that mount _not_ quote the translated string unless it contains a comma, and that would have the side benefit of letting this work even with an older kernel as long as no commas were in the context.
Redhat: Also see RIT104803
You need: util-linux >= 2.13-0.43.1.el5 (bug #211827) kernel >= 2.6.18-1.2876.el5 (bug #211857) both packages support quote contexts. The problem is nfs-utils (/sbin/mount.nfs[4]) where is not support for quotes yet. Probably my mistake :-( I'll fix it ASAP. See bug #219645. > So I'd suggest that mount _not_ quote the translated string unless it contains > a comma, and that would have the side benefit of letting this work even with > an older kernel as long as no commas were in the context. I think real (upstream) solution will be check for kernel >= 2.6.19 in the mount command. Sorry, but in RHEL5 I really don't have care for non-RHEL5 kernels ;-)
Added Linda in cc Linda: FYI Karel: are those packages available somewhere so we can test them and close the bug? What refresh are they scheduled to ship? Thanks
Steve: Can you confirm this fix will be available in the next lspp kernel? Is there an expected date for the next release? Thanks
I can confirm that the next LSPP kernel (to release this week) will have the required changes.
Confirmed fix against 1218 refresh (2.6.18-1.2910.el5 kernel) still waiting for next lspp kernel drop to close the bug
Can this be closed now?
Irina, I believe IBM has already closed it. - Archana
It must be some problem with the mirroring. Please close the bug, this is fixed