This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 219611 - [LSPP] 'mount' command isn't accepting any context with '-o contex=' option
[LSPP] 'mount' command isn't accepting any context with '-o contex=' option
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Karel Zak
Ben Levenson
:
Depends On:
Blocks: RHEL5LSPPCertTracker
  Show dependency treegraph
 
Reported: 2006-12-14 08:57 EST by Klaus Heinrich Kiwi
Modified: 2007-11-30 17:07 EST (History)
7 users (show)

See Also:
Fixed In Version: RHEL5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-01 16:10:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
IBM Linux Technology Center 30341 None None None Never

  None (edit)
Description Klaus Heinrich Kiwi 2006-12-14 08:57:21 EST
Description of problem:
When trying to mount a dvd and enforce a context for the files, mount fails with
an error message:

SELinux: security_context_to_sid("system_u:object_r:tmp_t:s0-s0:c0.c1023")
failed for (dev hdc, type iso9660) errno=-22


Version-Release number of selected component (if applicable):
RHEL5 beta2 2006-12-01 refresh.
uname -a:
Linux beta2_20061201.ks-0_13 2.6.18-1.2840.2.1.el5.lspp.57 #1 SMP Fri Dec 8
17:28:15 EST 2006 i686 i686 i386 GNU/Linux
(Using lspp .57 kernel but also has also verified against stock el5 kernel)

Relevant packages:
[root@beta2_20061201 mnt]# rpm -qa | egrep "pam|selinux|policy|kernel"
pam_passwdqc-1.0.2-1.2.2
libselinux-1.33.2-1.el5
pam_ccreds-3-5
policycoreutils-newrole-1.33.5-4.el5
pam-0.99.6.2-3.6.el5
pam-devel-0.99.6.2-3.6.el5
selinux-policy-strict-2.4.6-11.el5
libselinux-python-1.33.2-1.el5
policycoreutils-1.33.5-4.el5
pam_pkcs11-0.5.3-22
pam_krb5-2.2.11-1
selinux-policy-targeted-2.4.6-11.el5
selinux-policy-mls-2.4.6-11.el5
libselinux-devel-1.33.2-1.el5
kernel-2.6.18-1.2840.2.1.el5.lspp.57
checkpolicy-1.33.1-2.el5
kernel-headers-2.6.18-1.2767.el5
pam_smb-1.1.7-7.2.1
kernel-devel-2.6.18-1.2840.2.1.el5.lspp.57
selinux-policy-2.4.6-11.el5
selinux-policy-devel-2.4.6-11.el5
[root@beta2_20061201 mnt]#

How reproducible:
Always

Steps to Reproduce:
1. Insert RHEL5-2006-12-01 DVD (or any other medium) into dvd drive
2. Mount cdrom into a mouting point. Specify the context to use with '-o
context=' (also tested with fscontext with the same results)
mount -o context=system_u:object_r:tmp_t:s0-s0:c0.c1023 /dev/cdrom /mnt/cdrom
3. Check dmesg | tail for SELinux error messages - These messages are also
echoed in the console
  
Actual results:
mount: block device /dev/cdrom is write-protected, mounting read-only
SELinux: security_context_to_sid("system_u:object_r:tmp_t:s0-s0:c0.c1023")
failed for (dev hdc, type iso9660) errno=-22
mount: wrong fs type, bad option, bad superblock on /dev/cdrom,
       missing codepage or other error
       In some cases useful info is found in syslog - try
       dmesg | tail  or so
[root@beta2_20061201 mnt]# echo $?
32

Expected results:
a mounted filesystem. The files must use the specified context
[root@beta2_20061201 mnt]# echo $?
0

Additional info:
Using mls policy in enforcing mode. No AVC messages were issued with the command
execution.
Previous refreshes appeared to work fine in this matter.
Comment 1 Stephen Smalley 2006-12-14 09:47:32 EST
The error message generally indicates that the provided context is invalid, but
the context shown above appears valid and the bug reporter said he also tried
passing the same context to a chcon command, which accepted it (which means that
the kernel ultimately accepted it via setxattr).  Suggests a problem in either
the SELinux context mount option processing or in the way mount is passing the
options to the kernel (could be corrupted in transit by the translation daemon,
although the kernel output looked ok).
I was unable to reproduce on a FC6 box with targeted policy, but naturally the
bug is against RHEL 5 with MLS policy.  If it were a policy issue,  I would have
expected the chcon to have failed too.  So I think it must lie in the code,
either in mount, mcstransd, or the kernel.

Comment 2 Stephen Smalley 2006-12-14 10:15:10 EST
The kernel output shown in the bug report shows the context in quotes.  But the
kernel printk statement does not wrap the context string with quotes (at least
upstream), so that suggests that the context passed to the kernel had quotes
around it, which it has never accepted.  Problem in mount program? 
BTW, on FC6, the following command "appears" to succeed, but is not working
correctly:
mount -t nfs -o context=system_u:object_r:tmp_t:s0 host:/dir /foo
The context doesn't appear to even be conveyed to the kernel by the mount
program in the NFS case anymore.  Did the patches to mount get reverted in
recent updates?
Comment 3 Stephen Smalley 2006-12-14 10:25:43 EST
Sorry, mistake on my part - the patch for handling category sets in context
mount options (upstreamed in 2.6.19) did add support for quoting the context to
handle the commas within the category set, and the quotes should be stripped by
take_selinux_option().  Does the RHEL 5 kernel include that patch back ported
from 2.6.19?  Even so, not sure that mount should automatically be inserting the
quotes   or how it would internally disambiguate the commas - seems like the
user has to specify that.
Also not sure about the NFS mount issue - that seems like a separate bug, since
the nfs mount handling uses binary data for the mount options.
Comment 4 Eric Paris 2006-12-14 10:38:49 EST
It was backported, but isn't in until 2.6.18-1.2876 which was only built
yesterday.  Is this bug simply a problem of userspace being faster than the
kernel?  When we ship GA it should have both halves of the fix.
Comment 5 Stephen Smalley 2006-12-14 10:47:18 EST
Seems a bit dangerous to me to have mount automatically inserting quotes on the
user's behalf particularly if a different kernel might not understand them.
And how does it know where to put the quotes, e.g. if the user specifies:
mount -o context=a:b:c:d,j,z
does that get mapped to context="a:b:c:d",j,z (where j and z may be other mount
options) or context="a:b:c:d,j,z" (where j and z might be categories). How would
mount know?  Seems like mount should stay out of it and let the user quote the
context string.

Also, separate from this issue of quoting, NFS context mount support seems to be
completely missing, at least in Fedora.  This would represent a regression from
RHEL 4.  The diffs to nfsmount.c are just gone (needs NFS_MOUNT_VERSION 6 and
setting of the ->context field in the struct, which was part of the original
patches, and then there were further diffs for the quoted string support).  What
happened to them?
Comment 6 Stephen Smalley 2006-12-14 11:08:37 EST
Ok, second part of my comment is a bug-in-me ;)
Forgot that nfsmount moved from util-linux to nfs-utils and the patches moved
along with it, and the behavior I was seeing was due to the fact that I had a
lingering bind mount within the NFS filesystem still present, such that any
further context mount options were just ignored.
Sorry.  Not sure though whether the quoting support for nfsmount made it into
that package - I don't see the open_quote changes to parse_options() that were
in Cory Olmo's original patch set.

So that takes us back to just how mount and nfsmount handle quotes.
Comment 7 Stephen Smalley 2006-12-14 11:15:18 EST
Ok, the first part of my comment isn't quite right either ;)
mount does rely on the user to quote the original string if it contains commas
in order to know the end of the string, but then strips the quotes, passes to
translation, and then automatically re-quotes the translated string in case it
contains commas.  Which makes sense (although is unnecessary _unless_ the
translated string actually contains commas, so it could do a simple test for
that and skip the quoting in that case).
So I'd suggest that mount _not_ quote the translated string unless it contains a
comma, and that would have the side benefit of letting this work even with an
older kernel as long as no commas were in the context.
Comment 8 Klaus Heinrich Kiwi 2006-12-14 11:18:52 EST
Redhat: Also see RIT104803
Comment 9 Karel Zak 2006-12-14 11:59:55 EST
You need:

  util-linux >= 2.13-0.43.1.el5       (bug #211827)
  kernel     >= 2.6.18-1.2876.el5     (bug #211857)

both packages support quote contexts. 

The problem is nfs-utils (/sbin/mount.nfs[4]) where is not support for quotes
yet. Probably my mistake :-( I'll fix it ASAP. See bug #219645.

> So I'd suggest that mount _not_ quote the translated string unless it contains
> a comma, and that would have the side benefit of letting this work even with
> an older kernel as long as no commas were in the context.

I think real (upstream) solution will be check for kernel >= 2.6.19 in the mount
command. Sorry, but in RHEL5 I really don't have care for non-RHEL5 kernels ;-)

Comment 10 Klaus Heinrich Kiwi 2006-12-14 14:36:23 EST
Added Linda in cc
Linda: FYI

Karel: are those packages available somewhere so we can test them and close the
bug? What refresh are they scheduled to ship?

 Thanks
Comment 11 Klaus Heinrich Kiwi 2006-12-18 16:45:00 EST
Steve: Can you confirm this fix will be available in the next lspp kernel? Is
there an expected date for the next release?

 Thanks
Comment 12 Eric Paris 2006-12-18 16:50:05 EST
I can confirm that the next LSPP kernel (to release this week) will have the
required changes.
Comment 13 Klaus Heinrich Kiwi 2006-12-22 09:32:50 EST
Confirmed fix against 1218 refresh (2.6.18-1.2910.el5 kernel)

 still waiting for next lspp kernel drop to close the bug
Comment 15 Irina Boverman 2007-01-29 11:52:34 EST
Can this be closed now?
Comment 16 Archana K. Raghavan 2007-01-29 11:55:18 EST
Irina,

I believe IBM has already closed it.

- Archana
Comment 17 Klaus Heinrich Kiwi 2007-01-29 17:38:18 EST
It must be some problem with the mirroring.

Please close the bug, this is fixed

Note You need to log in before you can comment on or make changes to this bug.