Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 202525 - anaconda should label the /var mountpoint var_t if /var is a separate filesystem
Summary: anaconda should label the /var mountpoint var_t if /var is a separate filesystem
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Anaconda Maintenance Team
QA Contact: Mike McLean
URL:
Whiteboard:
Depends On:
Blocks: FC6Target
TreeView+ depends on / blocked
 
Reported: 2006-08-14 22:03 UTC by Orion Poplawski
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-08-24 20:09:22 UTC


Attachments (Terms of Use)

Description Orion Poplawski 2006-08-14 22:03:53 UTC
Description of problem:

Posted this to fedora-devel but to takers so here's the bug report against anaconda.

If you install FC (including FC6T2) with /var as a separate partition, you will
get lots of the following at boot:

audit(1155060024.471:4): avc:  denied  { search } for  pid=496
comm="pam_console_app" name="var" dev=hda2 ino=251905
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:file_t:s0 tclass=dir

This is because pam_console_apply is being run before /var is mounted and the
unmounted /var directory does not have the appropriate selinux context (var_t).
 pam_console_apply is apparently looking for the fine /var/run/console.lock.

I believe pam_console_apply is being run before /var is mounted by udev.  udev
is started before /var is mounted, and the following udev rule exists:

# cat /etc/udev/rules.d/95-pam-console.rules
ACTION=="add", SYSFS{dev}=="?*", KERNEL=="?*", RUN+="/sbin/pam_console_apply
$env{DEVNAME} $env{DEVLINKS}"

Which appears to run pam_console_apply for every device, which would explain why
there are so many messages.

Now, I think the proper solution is to have anaconda properly label the /var
mount point var_t.  Indeed, putting "restorecon /var" early in rc.sysinit and
rebooting a couple times has been to favored hack to this point and does not
appear to result in any other error messages.

Comment 1 Jeremy Katz 2006-08-15 17:43:28 UTC
This is ... ugly.  But I guess we could do a hack like setting labels when going
to mount filesystems on a new install :/

Comment 2 Jeremy Katz 2006-08-24 20:09:22 UTC
Should be fixed in CVS


Note You need to log in before you can comment on or make changes to this bug.