/var/spool mount denied

QingLong qinglong at Bolizm.ihep.su
Sat Oct 4 17:56:55 UTC 2008 

	Hi, All!

   I've come across problem with mount on Fedora 9
 --- various filesystems are mounted read-only, others fails to mount at all
 due to avc denials during the system startup, e.g.:
|
| type=1400 audit(1222921979.843:4): avc:  denied  { mounton } for  pid=1887 comm="mount" path="/var/lock" dev=md13 ino=62993 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
| type=1400 audit(1222921979.843:5): avc:  denied  { mounton } for  pid=1887 comm="mount" path="/var/lock" dev=md13 ino=62993 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
[...]
| type=1400 audit(1222921980.322:8): avc:  denied  { mounton } for  pid=1887 comm="mount" path="/var/spool" dev=md13 ino=125985 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
| type=1400 audit(1222921980.322:9): avc:  denied  { mounton } for  pid=1887 comm="mount" path="/var/spool" dev=md13 ino=125985 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
[...]
| type=1400 audit(1222921980.331:10): avc:  denied  { mounton } for  pid=1887 comm="mount" path="/var/run" dev=md13 ino=136145 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
| type=1400 audit(1222921980.331:11): avc:  denied  { mounton } for  pid=1887 comm="mount" path="/var/run" dev=md13 ino=136145 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
|
 But after the system startup finishes (many subsystems fail to put locks, etc)
 manual `mount -a' does magically fix the situation and those filesystems
 are remounted read-writeable.

   I guess, the bug has been introduced in Fedora 9 release and is still there.
 It looks like boot time selinux policies aren't generated depending on fstab
 thus handling mount point directories and mounted filesystems incorrectly.
 Maybe I am mistaken, and the problem is caused by some more obscure reasons.

   Of course, there are chances I am just not aware of some selinux feature
 or some boolean that should be enabled to get such cases handled right.
 If so, please correct me and let me know how should I configure selinux
 to get rid of the problem. Thank you.

   This behaviour has been displayed by freshly installed Fedora 9,
 and after `yum update' it continues malfunctioning.

   My regards.
      QingLong

More information about the fedora-selinux-list mailing list