Hi, All!
I've come across problem with mount on Fedora 9
--- various filesystems are mounted read-only, others fails to mount at all
due to avc denials during the system startup, e.g.:
|
| type=1400 audit(1222921979.843:4): avc: denied { mounton } for pid=1887
comm="mount" path="/var/lock" dev=md13 ino=62993
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
| type=1400 audit(1222921979.843:5): avc: denied { mounton } for pid=1887
comm="mount" path="/var/lock" dev=md13 ino=62993
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
[...]
| type=1400 audit(1222921980.322:8): avc: denied { mounton } for pid=1887
comm="mount" path="/var/spool" dev=md13 ino=125985
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_spool_t:s0
tclass=dir
| type=1400 audit(1222921980.322:9): avc: denied { mounton } for pid=1887
comm="mount" path="/var/spool" dev=md13 ino=125985
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_spool_t:s0
tclass=dir
[...]
| type=1400 audit(1222921980.331:10): avc: denied { mounton } for pid=1887
comm="mount" path="/var/run" dev=md13 ino=136145
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
| type=1400 audit(1222921980.331:11): avc: denied { mounton } for pid=1887
comm="mount" path="/var/run" dev=md13 ino=136145
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
|
But after the system startup finishes (many subsystems fail to put locks, etc)
manual `mount -a' does magically fix the situation and those filesystems
are remounted read-writeable.
I guess, the bug has been introduced in Fedora 9 release and is still there.
It looks like boot time selinux policies aren't generated depending on fstab
thus handling mount point directories and mounted filesystems incorrectly.
Maybe I am mistaken, and the problem is caused by some more obscure reasons.
Of course, there are chances I am just not aware of some selinux feature
or some boolean that should be enabled to get such cases handled right.
If so, please correct me and let me know how should I configure selinux
to get rid of the problem. Thank you.
This behaviour has been displayed by freshly installed Fedora 9,
and after `yum update' it continues malfunctioning.
My regards.
QingLong