Red Hat Bugzilla – Bug 498644
SELinux prevented mount from mounting on the file or directory "/proc/xen" (type "proc_xen_t").
Last modified: 2009-05-01 14:01:40 EDT
Description of problem: SELinux prevented mount from mounting on the file or directory "/proc/xen" (type "proc_xen_t"). Version-Release number of selected component (if applicable): Source RPM Packages util-linux-ng-2.14.2-8.fc11 Policy RPM selinux-policy-3.6.12-23.fc11 How reproducible: once Steps to Reproduce: 1.started xend 2.[ yes, i'm running myoung's dom0 kernel ] 3. Actual results: avc and error with suggested fix: # chcon -t mnt_t /proc/xen chcon: failed to change context of `/proc/xen' to `system_u:object_r:mnt_t:s0': Operation not supported Expected results: no avc or error Additional info: Summary: SELinux prevented mount from mounting on the file or directory "/proc/xen" (type "proc_xen_t"). Detailed Description: SELinux prevented mount from mounting a filesystem on the file or directory "/proc/xen" of type "proc_xen_t". By default SELinux limits the mounting of filesystems to only some files or directories (those with types that have the mountpoint attribute). The type "proc_xen_t" does not have this attribute. You can change the label of the file or directory. Allowing Access: Changing the file_context to mnt_t will allow mount to mount the file system: "chcon -t mnt_t '/proc/xen'." You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t mnt_t '/proc/xen'" Fix Command: chcon -t mnt_t '/proc/xen' Additional Information: Source Context unconfined_u:system_r:mount_t:s0 Target Context system_u:object_r:proc_xen_t:s0 Target Objects /proc/xen [ dir ] Source mount Source Path /bin/mount Port <Unknown> Host jerry-opti755 Source RPM Packages util-linux-ng-2.14.2-8.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-23.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name mounton Host Name jerry-opti755 Platform Linux jerry-opti755 2.6.30-0.1.2.21.rc3.xendom0.fc12.x86_64 #1 SMP Fri Apr 24 18:41:27 EDT 2009 x86_64 x86_64 Alert Count 4 First Seen Thu 30 Apr 2009 01:59:08 PM CDT Last Seen Thu 30 Apr 2009 02:00:22 PM CDT Local ID 802ce6f8-04a1-4bd5-b3b8-fb41aa49d793 Line Numbers Raw Audit Messages node=jerry-opti755 type=AVC msg=audit(1241118022.211:36689): avc: denied { mounton } for pid=3358 comm="mount" path="/proc/xen" dev=proc ino=4026531946 scontext=unconfined_u:system_r:mount_t:s0 tcontext=system_u:object_r:proc_xen_t:s0 tclass=dir node=jerry-opti755 type=SYSCALL msg=audit(1241118022.211:36689): arch=c000003e syscall=165 success=no exit=-13 a0=7fad767e35b0 a1=7fad767e4a50 a2=7fad767e5bb0 a3=ffffffffc0ed0001 items=0 ppid=3355 pid=3358 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:system_r:mount_t:s0 key=(null)
Not sure this makes any sense, so I added SELinux kernel developers to look at it.
Assuming that it is normal for userspace to mount something on top of /proc/xen, then this just requires a policy change to allow mounton permission to proc_xen_t:dir. Relabeling /proc/xen via chcon doesn't make sense, but I assume setroubleshoot was just going with the same guidance it would give for a mount on a real filesystem.
That is my question, does it make any sense to mount a file system on /proc/xen?
Fixed in selinux-policy-3.6.12-27.fc11.noarch I will allow it.
Blech. Never mind, this is user error. I was testing ideas on why my dom0 wasn't working - now that go back through the shell history, I see "mount -t xenfs xen /proc/xen" as root. Oops. Sorry for the noise.