Description of problem: I am trying to set up an automount for a glusterfs volume using systemd .mount and .automount units. However, it would seem that selinux policy is preventing the mount command, therefore making (auto)mount fails. Below is outlined the manual mount process which reproduces the problem: 1. create a glusterfs volume; for test purposes, I created a volume called gv0, consisting of two local bricks 2. create a systemd unit file which will mount gv0 under /home/cluster: # filename: /usr/lib/systemd/system/home-cluster.mount # A unit for mounting glusterfs volume gv0 under /home/cluster # For automount, create corresponding .automount unit [Unit] Description=Cluster Mount [Mount] What=localhost:/gv0 Where=/home/cluster Type=glusterfs 3. Try to mount the volume via the above unit (which is equivalent to what the automount would have done): [root@iota ~]# systemctl start home-cluster.mount Job for home-cluster.mount failed. See 'systemctl status home-cluster.mount' and 'journalctl -xn' for details. [root@iota ~]# systemctl status home-cluster.mount home-cluster.mount - /home/cluster Loaded: loaded (/etc/fstab; static) Active: failed (Result: exit-code) since Thu 2013-01-24 22:18:24 CET; 6s ago Where: /home/cluster What: iota:/gv0 Process: 3838 ExecMount=/bin/mount iota:/gv0 /home/cluster -t glusterfs -o defaults,_netdev (code=exited, status=1/FAILURE) Jan 24 22:18:23 iota systemd[1]: Mounting /home/cluster... Jan 24 22:18:23 iota mount[3838]: unknown option _netdev (ignored) Jan 24 22:18:24 iota mount[3838]: /sbin/mount.glusterfs: line 140: /usr/sbin/glusterfs: Permission denied Jan 24 22:18:24 iota mount[3838]: Mount failed. Please check the log file for more details. Jan 24 22:18:24 iota systemd[1]: home-cluster.mount mount process exited, code=exited status=1 Jan 24 22:18:24 iota systemd[1]: Failed to mount /home/cluster. Jan 24 22:18:24 iota systemd[1]: Unit home-cluster.mount entered failed state ----- Expected result: mount command succeeding (which happens when selinux is set to permissive) SELinux is preventing /usr/bin/bash from 'execute' accesses on the file glusterfsd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed execute access on the glusterfsd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mount.glusterfs /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mount_t:s0 Target Context system_u:object_r:glusterd_exec_t:s0 Target Objects glusterfsd [ file ] Source mount.glusterfs Source Path /usr/bin/bash Port <Unknown> Host (removed) Source RPM Packages glusterfs-3.3.1-8.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-71.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.7.2-204.fc18.x86_64 #1 SMP Wed Jan 16 16:22:52 UTC 2013 x86_64 x86_64 Alert Count 12 First Seen 2013-01-24 22:05:32 CET Last Seen 2013-01-24 22:21:28 CET Local ID 7d9d638d-62e4-49ce-b835-d61303c1afed Raw Audit Messages type=AVC msg=audit(1359062488.476:477): avc: denied { execute } for pid=4041 comm="mount.glusterfs" name="glusterfsd" dev="dm-1" ino=952909 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:glusterd_exec_t:s0 tclass=file type=AVC msg=audit(1359062488.476:477): avc: denied { execute_no_trans } for pid=4041 comm="mount.glusterfs" path="/usr/sbin/glusterfsd" dev="dm-1" ino=952909 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:glusterd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1359062488.476:477): arch=x86_64 syscall=execve success=yes exit=0 a0=e6f7a0 a1=e66640 a2=e6d1a0 a3=7fff44895020 items=0 ppid=4001 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=glusterfs exe=/usr/sbin/glusterfsd subj=system_u:system_r:mount_t:s0 key=(null) Hash: mount.glusterfs,mount_t,glusterd_exec_t,file,execute audit2allow #============= mount_t ============== allow mount_t glusterd_exec_t:file { execute execute_no_trans }; audit2allow -R #============= mount_t ============== allow mount_t glusterd_exec_t:file { execute execute_no_trans }; Additional info: hashmarkername: setroubleshoot kernel: 3.7.2-204.fc18.x86_64 type: libreport
Fixed in selinux-policy-3.11.1-74.fc18.noarch
selinux-policy-3.11.1-74.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-74.fc18
Package selinux-policy-3.11.1-74.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-74.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-1693/selinux-policy-3.11.1-74.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-74.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.