FC5 ext3 Partition SELinux audit denies mount
Paul Howarth
paul at city-fan.org
Tue Apr 18 15:41:22 UTC 2006
David Timms wrote:
> danielf wrote:
>> I just want to mount an ext3 partition w/ my fstab [work] but, I get
>> some "Audits" from SELinux:
>> udit(1145359952.812:30): avc: denied { read } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.812:31): avc: denied { search } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.816:32): avc: denied { read } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.816:33): avc: denied { search } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.820:34): avc: denied { read } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.820:35): avc: denied { search } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.820:36): avc: denied { read } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.824:37): avc: denied { read } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.824:38): avc: denied { search } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.824:39): avc: denied { search } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.828:40): avc: denied { read } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.828:41): avc: denied { search } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.832:42): avc: denied { read } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.832:43): avc: denied { search } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.832:44): avc: denied { read } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.836:45): avc: denied { search } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.836:46): avc: denied { read } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.836:47): avc: denied { search } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.840:48): avc: denied { read } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.840:49): avc: denied { search } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.844:50): avc: denied { read } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> audit(1145359952.876:51): avc: denied { search } for pid=2319
>> comm="pam_console_app" name="/" dev=hda7 ino=2
>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> Last login: Tue Apr 18 13:29:00 on tty2
>>
>> my fstab:
>> LABEL=/ / ext3 defaults 1 1
>> LABEL=/boot1 /boot ext3 defaults 1 2
>> devpts /dev/pts devpts gid=5,mode=620 0 0
>> tmpf /dev/shm tmpfs defaults 0 0
>> proc /proc proc defaults 0 0
>> sysfs /sys sysfs defaults 0 0
>> LABEL=SWAP-hda5 swap swap defaults 0 0
>> LABEL=/mnt /mnt ext3 auto 1 2 <- i´ve tested w/ 0 0 / 1 1 / 1 2 / 1 4
>> but nothing works
>>
>> the device had the label /mnt set with e2label
>>
>> hmm.. if i remember on furhter things i´ll post it... :)
> If you mount after boot does the volume mount OK ?
> # mount /mnt
> I think I am seeing the same thing for both loop iso mounts and
> /dev/hdax style mounts that are in fstab. During boot there is messages
> like:
> ~ device marked read-only, mounting read-only. mount failed.
>
> {dmesg|less}
> audit(1145350901.349:12): avc: denied { mounton } for pid=1381
> comm="mount" name="9" dev=dm-1 ino=17137913
> scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir
>
> audit(1145350901.353:13): avc: denied { mounton } for pid=1381
> comm="mount" name="9" dev=dm-1 ino=17137913
> scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir
>
> audit(1145350901.782:16): avc: denied { read write } for pid=1381
> comm="mount" name="FC-5-i386-DVD.iso" dev=dm-1 ino=13172737
> scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:object_r:user_home_t:s0 tclass=file
>
> Seems if the partitions were not created by the installer then they
> don't get loaded at boot (even though with custom partitioning a
> configured them (do not format).
>
> I welcome a solution too :)
If, with the ISO image not mounted, you do:
$ chcon -t mnt_t /path/to/iso/moint/point/directory
Does that help?
You should also specify the "ro" option in any fstab entry for an ISO
filesystem.
You *may* also need to change the context of the ISO file itself but I'm
not sure about that.
Paul.
More information about the fedora-list
mailing list