Bug 374001 - GNOME unable to mount reiserfs partition
GNOME unable to mount reiserfs partition
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Eric Paris
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-09 17:55 EST by Felipe Contreras
Modified: 2008-01-30 14:18 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:18:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Felipe Contreras 2007-11-09 17:55:23 EST
Description of problem:
When I plug in a disc with reiserfs partition GNOME is unable to mount it and I
get this:

SELinux prevented /bin/mount from mounting on the file or directory "" (type
"unlabeled_t"). 

Version-Release number of selected component (if applicable):

This is with SELinux enabled and Enforcing, targeted (installation default).
Comment 1 Daniel Walsh 2007-11-10 07:29:08 EST
That is strange.  It is supposed to be labeled nfs_t since reiserfs support to
extended attributes is broken.  If you mount it by hand, what does the mount
table show?
Comment 2 Felipe Contreras 2007-11-10 08:26:02 EST
The mount table? The SELinux context is system_u:object_r:nfs_t:s0 if that's
what you mean.

Probably when I plug it in it still doesn't have any context. I don't know.
Comment 3 Daniel Walsh 2007-11-12 18:10:41 EST
Please attach the avc and the output from the mount command when the device is
mounted by hand.
Comment 4 Felipe Contreras 2007-11-13 15:05:30 EST
avc: denied { search } for comm=mount dev=sdb2 egid=0 euid=0 exe=/bin/mount
exit=-95 fsgid=0 fsuid=0 gid=0 items=0 name=/ pid=10525
scontext=system_u:system_r:mount_t:s0 sgid=0 subj=system_u:system_r:mount_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:unlabeled_t:s0 tty=(none) uid=0 

I don't know what you mean by mount command. This?
/dev/sdb2 on /tmp/felipec/mnt type reiserfs (rw)
Comment 5 Daniel Walsh 2007-11-13 15:25:08 EST
Looks like a kernel problem.

Current F8 policy has

genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
Comment 6 Stephen Smalley 2007-11-14 09:50:49 EST
We used to encounter those search denials on reiserfs due to it performing
internal lookups on its xattr subdirectories, but those should have been
resolved by the changes to mark those inodes private and have the security hooks
ignore such inodes.
I don't know - I don't use reiserfs.
Comment 7 Felipe Contreras 2007-11-19 11:50:12 EST
What?!

Why won't fix?

Just format an USB key with reiserfs and you'll reproduce it.
Comment 8 Eric Paris 2007-11-19 12:32:41 EST
was this working for you under F7?   I just ask because F7 is the only thing I
ahve in front of me and it worked for me there.  Wanted to make sure
reinstalling it going to help me reproduce...
Comment 9 Felipe Contreras 2007-11-19 15:30:05 EST
When I was using F7 I had so many problems that I disabled SELinux. I probably
can check my work's laptop, but it might take a while.
Comment 10 Eric Paris 2007-11-19 15:41:39 EST
I went ahead and installed F8 and was able to reproduce the problem.  I'm
working now to find what reiserfs changed between F7 and F8.

Dan also explained to me the transitions going on here

by hand it is:  unconfined_t -> mount_exec_t -> unconfined_mount_t
from gnome:     whatever???? -> mount_exec_t -> mount_t

and apparently unconfined_mount_t has search perms on unlabeled_t.  (The fact
that anything is unlabeled is a reiserfs problem, not selinux I believe)  But I
do wonder if the mount domain might not have been different enough in F7 that
the same bug might be there but policy allows it....

Most of this is just so I don't forget what I figured out already...
Comment 11 Eric Paris 2007-11-19 15:42:30 EST
Oh yeah, dmesg from the failed gnome mount.

ReiserFS: sde1: found reiserfs format "3.6" with standard journal
ReiserFS: sde1: using ordered data mode
ReiserFS: sde1: journal params: device sde1, size 8192, journal first block 18,
max trans len 1024, max batch 900, max commit age 30, max trans age 30
ReiserFS: sde1: checking transaction log (sde1)
ReiserFS: sde1: Using r5 hash to sort names
ReiserFS: sde1: warning: xattrs/ACLs enabled and couldn't find/create
.reiserfs_priv. Failing mount.
Comment 12 Stephen Smalley 2007-11-19 15:59:57 EST
mount_t search on unlabeled_t may be required to allow initialization of
reiserfs due to its funky way of storing xattrs as files in a private directory.
 The lookup of .reiserfs_priv probably happens before we have had a chance to
set up the root inode security blob, so it is always unlabeled (allocated, but
not set up).
Comment 13 Daniel Walsh 2007-11-26 11:50:31 EST
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-62.fc8
Comment 14 Felipe Contreras 2007-11-30 13:16:04 EST
I tried:
yum update selinux-policy --enablerepo=updates-testing

So now I have selinux-policy-3.0.8-62.fc8 and it still doesn't work.
Comment 15 Eric Paris 2007-11-30 13:40:51 EST
do you have the denial messages?

make it happen, then run:

ausearch -m AVC -ts recent

and give those to us?  I'll try to get over to that F8 machine again to look at
it myself.
Comment 16 Felipe Contreras 2007-11-30 14:07:05 EST
type=SYSCALL msg=audit(1196449503.510:6331): arch=40000003 syscall=21 success=no
exit=-95 a0=b8bbf238 a1=b8bbf248 a2=b8bbf258 a3=c0ed0006 items=0 ppid=476
pid=478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0
key=(null)
type=AVC msg=audit(1196449503.510:6331): avc:  denied  { search } for  pid=478
comm="mount" name="/" dev=sdb2 ino=2 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
Comment 17 Daniel Walsh 2007-12-01 08:31:33 EST
Fixed in selinux-policy-3.0.8-62.fc8
Comment 18 Daniel Walsh 2008-01-30 14:18:46 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.