Odd mount behavior mounting hfsplus

Stephen Smalley sds at tycho.nsa.gov
Tue Dec 20 13:01:36 UTC 2005

On Mon, 2005-12-19 at 17:11 -0800, Derek Poon wrote:
> Hi,
> I'd like to report an odd behavior that I traced to SELinux.  To mount
> my Mac OS X partition automatically, I have the following line in
> my /etc/fstab:
>     /dev/hda3    /Macintosh\040HD   hfsplus ro  0 0
> If I execute   mount '/Macintosh HD'   as root, this works fine.
> However, this mount fails during the boot process.
> If I execute
> (A) /etc/rc.d/init.d/netfs start
> as root, I get an error:
>     mount: cannot mount block device /dev/hda3 read-only      [FAILED]
> Running (A) under strace, I see
>   mount("/dev/hda3", "/Macintosh HD", "hfsplus", MS_RDONLY|MS_POSIXACL|
> MS_ACTIVE|MS_NOUSER|0xec0000, 0x10037f58) = -1 EACCES (Permission
> denied)
> However, the following commands both succeed:
> (B) /bin/bash /etc/rc.d/init.d/netfs start
> (C) setenforce 0 ; /etc/rc.d/init.d/netfs start
> Obviously, (C) proves that SELinux is the culprit.  The question is,
> under SELinux, why should (B) work while (A) fails?  Since the netfs
> script has #!/bin/bash as the shebang line, shouldn't (A) and (B) be
> equivalent?

Running the init script causes a domain transition, as you want the init
script and any daemons it starts to run with a different set of
permissions than the user shell.  Running it via bash leaves it in the
caller's domain (i.e. the user shell's domain), so it runs with those

Check your /var/log/audit/audit.log for relevant AVC messages (or
use /sbin/ausearch to search for and interpret such messages).

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list