FC5 ext3 Partition SELinux audit denies mount

Paul Howarth paul at city-fan.org
Tue Apr 18 15:41:22 UTC 2006 

David Timms wrote:
> danielf wrote:
>> I just want to mount an ext3 partition w/ my fstab [work] but, I get 
>> some "Audits" from SELinux:
>> udit(1145359952.812:30): avc:  denied  { read } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.812:31): avc:  denied  { search } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.816:32): avc:  denied  { read } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.816:33): avc:  denied  { search } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.820:34): avc:  denied  { read } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.820:35): avc:  denied  { search } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.820:36): avc:  denied  { read } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.824:37): avc:  denied  { read } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.824:38): avc:  denied  { search } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.824:39): avc:  denied  { search } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.828:40): avc:  denied  { read } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.828:41): avc:  denied  { search } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.832:42): avc:  denied  { read } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.832:43): avc:  denied  { search } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.832:44): avc:  denied  { read } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.836:45): avc:  denied  { search } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.836:46): avc:  denied  { read } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.836:47): avc:  denied  { search } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.840:48): avc:  denied  { read } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.840:49): avc:  denied  { search } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.844:50): avc:  denied  { read } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.876:51): avc:  denied  { search } for  pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> Last login: Tue Apr 18 13:29:00 on tty2
>>
>> my fstab:
>> LABEL=/ / ext3 defaults 1 1
>> LABEL=/boot1 /boot ext3 defaults 1 2
>> devpts /dev/pts devpts gid=5,mode=620 0 0
>> tmpf /dev/shm tmpfs defaults 0 0
>> proc /proc proc defaults 0 0
>> sysfs /sys sysfs defaults 0 0
>> LABEL=SWAP-hda5 swap swap defaults 0 0
>> LABEL=/mnt /mnt ext3 auto 1 2 <- i´ve tested w/ 0 0 / 1 1 / 1 2 / 1 4 
>> but nothing works
>>
>> the device had the label /mnt set with e2label
>>
>> hmm.. if i remember on furhter things i´ll post it... :)
> If you mount after boot does the volume mount OK ?
> # mount /mnt
> I think I am seeing the same thing for both loop iso mounts and 
> /dev/hdax style mounts that are in fstab. During boot there is messages 
> like:
> ~ device marked read-only, mounting read-only.  mount failed.
> 
> {dmesg|less}
> audit(1145350901.349:12): avc:  denied  { mounton } for  pid=1381 
> comm="mount" name="9" dev=dm-1 ino=17137913 
> scontext=system_u:system_r:mount_t:s0 
> tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir
> 
> audit(1145350901.353:13): avc:  denied  { mounton } for  pid=1381 
> comm="mount" name="9" dev=dm-1 ino=17137913 
> scontext=system_u:system_r:mount_t:s0 
> tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir
> 
> audit(1145350901.782:16): avc:  denied  { read write } for  pid=1381 
> comm="mount" name="FC-5-i386-DVD.iso" dev=dm-1 ino=13172737 
> scontext=system_u:system_r:mount_t:s0 
> tcontext=system_u:object_r:user_home_t:s0 tclass=file
> 
> Seems if the partitions were not created by the installer then they 
> don't get loaded at boot (even though with custom partitioning a 
> configured them (do not format).
> 
> I welcome a solution too :)

If, with the ISO image not mounted, you do:

$ chcon -t mnt_t /path/to/iso/moint/point/directory

Does that help?

You should also specify the "ro" option in any fstab entry for an ISO 
filesystem.

You *may* also need to change the context of the ISO file itself but I'm 
not sure about that.

Paul.

More information about the fedora-list mailing list