[redhat-lspp] Re: Re: mount problems with latest refresh

Klaus Heinrich Kiwi klausk at br.ibm.com
Thu Dec 14 13:17:00 UTC 2006


Em Thu, 14 Dec 2006 07:49:20 -0500, Stephen Smalley escreveu:

> On Thu, 2006-12-14 at 09:49 -0200, Klaus Heinrich Kiwi wrote:
>> Em Wed, 13 Dec 2006 18:17:02 -0500, Daniel J Walsh escreveu:
>> 
>> > Any avc messages?
>>  
>> None!
>> 
>> Only this error message (which also is echoed at the machine's console):
>> 
>> SELinux:
>> security_context_to_sid("system_u:object_r:tmp_t:s0-s15:c0.c1023") failed
>> for (dev hdc, type iso9660) errno=-22
>> 
>> (erro -22 = EINVAL iirc)
>> 
>> Any special audit rule that may help?
> 
> It isn't a permission denial, just an invalid context error from
> security_context_to_sid().  If you try using the same context in e.g. a
> chcon command, does it also report Invalid argument?  If so, then it is
> a policy problem - the context is illegal under the policy, e.g. one of
> the components isn't defined by the policy or the combination of them is
> not authorized by the policy.

That's what I initially thought: I'm just using an invalid context (if
this was/is the case, the error message could be a little more helpful
then, couldn't it?)

Have tried with several different context since them - without success.

And about the test with chcon: yes, the same context that I can
successfully label a directory is failing when I try to use-it with mount:

---------------------------
[root at beta2_20061201 mnt]# chcon system_u:object_r:tmp_t:SystemLow-SystemHigh cdrom/
[root at beta2_20061201 mnt]# echo $?; ls -lZd cdrom/
0
drwxr-xr-x  root root system_u:object_r:tmp_t:SystemLow-SystemHigh cdrom/

[root at beta2_20061201 mnt]# mount -o context=system_u:object_r:tmp_t:SystemLow-SystemHigh /dev/cdrom /mnt/cdrom/
mount: block device /dev/cdrom is write-protected, mounting read-only
SELinux: security_context_to_sid("system_u:object_r:tmp_t:s0-s15:c0.c1023") failed for (dev hdc, type iso9660) errno=-22
mount: wrong fs type, bad option, bad superblock on /dev/cdrom,
       missing codepage or other error
       In some cases useful info is found in syslog - try
       dmesg | tail  or so

[root at beta2_20061201 mnt]# 
--------------------------

Also tried mount with 'fscontext' with the same results.

 Should I open a bug report for this (seems like a ship issue to me)

 --Klaus




More information about the redhat-lspp mailing list