Odd mount behavior mounting hfsplus
Stephen Smalley
sds at tycho.nsa.gov
Tue Dec 20 13:01:36 UTC 2005
On Mon, 2005-12-19 at 17:11 -0800, Derek Poon wrote:
> Hi,
>
> I'd like to report an odd behavior that I traced to SELinux. To mount
> my Mac OS X partition automatically, I have the following line in
> my /etc/fstab:
> /dev/hda3 /Macintosh\040HD hfsplus ro 0 0
>
> If I execute mount '/Macintosh HD' as root, this works fine.
> However, this mount fails during the boot process.
>
>
> If I execute
> (A) /etc/rc.d/init.d/netfs start
> as root, I get an error:
> mount: cannot mount block device /dev/hda3 read-only [FAILED]
>
>
> Running (A) under strace, I see
> mount("/dev/hda3", "/Macintosh HD", "hfsplus", MS_RDONLY|MS_POSIXACL|
> MS_ACTIVE|MS_NOUSER|0xec0000, 0x10037f58) = -1 EACCES (Permission
> denied)
>
> However, the following commands both succeed:
>
> (B) /bin/bash /etc/rc.d/init.d/netfs start
>
> (C) setenforce 0 ; /etc/rc.d/init.d/netfs start
>
>
> Obviously, (C) proves that SELinux is the culprit. The question is,
> under SELinux, why should (B) work while (A) fails? Since the netfs
> script has #!/bin/bash as the shebang line, shouldn't (A) and (B) be
> equivalent?
Running the init script causes a domain transition, as you want the init
script and any daemons it starts to run with a different set of
permissions than the user shell. Running it via bash leaves it in the
caller's domain (i.e. the user shell's domain), so it runs with those
permissions.
Check your /var/log/audit/audit.log for relevant AVC messages (or
use /sbin/ausearch to search for and interpret such messages).
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list