Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 211827 - LSPP: Can't mount with additional contexts
Summary: LSPP: Can't mount with additional contexts
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: util-linux
Version: 5.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Karel Zak
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: RHEL5LSPPCertTracker
TreeView+ depends on / blocked
 
Reported: 2006-10-23 13:10 UTC by Bastien Nocera
Modified: 2007-11-30 22:07 UTC (History)
5 users (show)

Fixed In Version: RC1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-03-08 15:34:12 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
IBM Linux Technology Center 28423 None None None Never

Description Bastien Nocera 2006-10-23 13:10:49 UTC
# mount -o loop,context=root:object_r:root_t:s0:c1,c4 foo /mnt
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
       missing codepage or other error
       In some cases useful info is found in syslog - try
       dmesg | tail  or so

See discussion here for more details:
https://www.redhat.com/archives/redhat-lspp/2006-October/msg00208.html

Comment 2 Karel Zak 2006-10-23 14:07:51 UTC
The patches are waiting in my INBOX, but it's a surprise for me that we expect
this change in RHEL5 GA. My plan was add this feature to rawhide (fc7). 

The patch to nfsmount.c is useless -- in RHEL5 we use separate mount.nfs (from
the nfs-utils package) instead the old NFS from from util-linux. It means you
have to open a new IT/BZ request for nfs-utils too. (Please, assign to me --
I'll fix it in both packages.)

Comment 3 RHEL Product and Program Management 2006-10-24 18:31:35 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 7 Jay Turner 2006-11-14 14:09:50 UTC
QE ack for RHEL5.

Comment 8 Karel Zak 2006-11-22 00:11:57 UTC
Fixed in util-linux-2.13-0.43.1.el5, but without change in kernel (see bug
#211857) is not possible use selinux mount options at all.

Comment 9 RHEL Product and Program Management 2006-12-23 01:34:10 UTC
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.


Comment 10 Klaus Heinrich Kiwi 2007-01-03 17:11:15 UTC
Problem persists with lspp (2.6.18-1.2913.4.2.el5.lspp.59) kernel:


[root@rhel5lspp ~]# mount -v -o context="root:object_r:root_t:s0:c1,c4"
/dev/cdrom /mnt/cdrom/
mount: translated context 'root:object_r:root_t:s0:c1' to
'root:object_r:root_t:s0:c1'
mount: you didn't specify a filesystem type for /dev/cdrom
       I will try type iso9660
mount: block device /dev/cdrom is write-protected, mounting read-only
mount: translated context 'root:object_r:root_t:s0:c1' to
'root:object_r:root_t:s0:c1'
mount: wrong fs type, bad option, bad superblock on /dev/cdrom,
       missing codepage or other error
       In some cases useful info is found in syslog - try
       dmesg | tail  or so

(the same message above happens with/without quoting the context string)

[root@rhel5lspp ~]# rpm -q util-linux
util-linux-2.13-0.43.3.el5

please reopen the bug

Comment 11 Eric Paris 2007-01-04 21:53:14 UTC
the userspace quotation checking must be flawed since it is dropping the ,c4

are there any messages in syslog or the audit log which may be related?  I would
have expected it to mount (although incorrectly) even with the ,c4 dropped...

Comment 12 Klaus Heinrich Kiwi 2007-01-05 12:10:52 UTC
(In reply to comment #11)
> the userspace quotation checking must be flawed since it is dropping the ,c4
> 
> are there any messages in syslog or the audit log which may be related?  I would
> have expected it to mount (although incorrectly) even with the ,c4 dropped...

None! No messages are inserted in dmesg or /var/log/messages or event auditd.log.

But I must disagree with you: I would expect that the above command fails: Since
the userspace is dropping the ',c4' out of the complete context string, mount is
still probably trying to use it as one of the mount options (-o thing,thing,c4),
which is invalid, and then fails

Comment 13 Karel Zak 2007-01-05 12:59:01 UTC
(In reply to comment #10)

> [root@rhel5lspp ~]# mount -v -o context="root:object_r:root_t:s0:c1,c4"

Please, be careful with quotes on shell command line ;-) You have to use:

 mount -v -o context=\"root:object_r:root_t:s0:c1,c4\"

It works as expected:

# mount -v -o context=\"root:object_r:root_t:s0:c1,c4\",ro -t ext3 /dev/loop0
/mnt/test
mount: translated context 'root:object_r:root_t:s0:c1,c4' to
'root:object_r:root_t:s0:c1,c4'
/dev/loop0 on /mnt/test type ext3 (ro,context="root:object_r:root_t:s0:c1,c4")

# mount | grep test
/dev/loop0 on /mnt/test type ext3 (ro,context="root:object_r:root_t:s0:c1,c4")

# uname -r
2.6.18-1.2961.el5

# rpm -q util-linux
util-linux-2.13-0.43.3.el5



Comment 14 Klaus Heinrich Kiwi 2007-01-05 13:23:13 UTC
(In reply to comment #13)
> (In reply to comment #10)
> 
> > [root@rhel5lspp ~]# mount -v -o context="root:object_r:root_t:s0:c1,c4"
> 
> Please, be careful with quotes on shell command line ;-) You have to use:

I'm ashamed! Wasn't aware that mount needed the quotes itself. It's working as
expected.

 Please close the bug - thank you.

For the records: It appears that single-quotes aren't good enough (even
escaped). We _need_ to use double-quotes?

Comment 15 Karel Zak 2007-01-05 13:57:56 UTC
Yes, it's the mount command that needs to extract selinux stuff from the option
string and quotes work as a separator between normal and selinux options. 

Don't forget that "," is generic separator for all mount options and all options
don't start with <name>= (for example ro -- read-only)

  context=root:object_r:root_t:s0:c1,c4,ro

where context=root:object_r:root_t:s0:c1,c4 is selinux and ro is normal option.
So, the right format is:

  context="root:object_r:root_t:s0:c1,c4",ro

(plus escape for your shell)

I don't remember who selected double-quotes instead single-quotes. IMHO it is
not so important. Your shell is sensitive for both.


Comment 17 RHEL Product and Program Management 2007-02-08 00:19:19 UTC
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.


Comment 19 Klaus Heinrich Kiwi 2007-02-09 01:10:16 UTC
Found a regression while performing the same testcase:

[root@alex ~]# mount -vo loop,context=\"root:object_r:root_t:s0:c1,c4\",ro
disk.img mountp/
mount: translated context 'root:object_r:root_t:s0:c1,c4' to
'root:object_r:root_t:s0:c1'
mount: going to use the loop device /dev/loop0
mount: you didn't specify a filesystem type for /dev/loop0
       I will try type ext3
/root/disk.img on /root/mountp type ext3
(ro,loop=/dev/loop0,context="root:object_r:root_t:s0:c1")
[root@alex ~]# ls -ldZ mountp/
drwxr-xr-x  root root root:object_r:root_t:s0:c1       mountp/
[root@alex ~]# mount | grep mountp
/root/disk.img on /root/mountp type ext3
(ro,loop=/dev/loop0,context="root:object_r:root_t:s0:c1")
[root@alex ~]# 

please re-open the bug

Comment 20 Karel Zak 2007-02-09 07:42:43 UTC
(In reply to comment #19)
> Found a regression while performing the same testcase:
 
 ?

> mount: translated context 'root:object_r:root_t:s0:c1,c4' to
> 'root:object_r:root_t:s0:c1'

 Do you mean that root:object_r:root_t:s0:c1,c4 has been translated to
root:object_r:root_t:s0:c1 (the raw context is without 'c4') ?

Dwalsh, is it normal?



Comment 22 Daniel Walsh 2007-02-12 16:21:26 UTC
Fixed in libselinux-1.33.4-3.el5.i386.rpm 


Comment 23 Daniel Walsh 2007-02-12 19:51:23 UTC
Actually this turns out to be a mcstrans problem.

Fixed in mcstrans-0.2.2-1

Comment 24 Klaus Heinrich Kiwi 2007-02-13 12:09:40 UTC
Confirmed fix in ppc64.
package list:

[root@zaphod ~]# rpm -qa | egrep 'policy|libselinux|mcstrans'
checkpolicy-1.33.1-2.el5
mcstrans-0.2.2-1.el5
libselinux-python-1.33.4-4.el5
selinux-policy-devel-2.4.6-37.el5
libselinux-devel-1.33.4-4.el5
libselinux-1.33.4-4.el5
policycoreutils-1.33.12-4.el5
selinux-policy-mls-2.4.6-37.el5
selinux-policy-2.4.6-37.el5
selinux-policy-targeted-2.4.6-37.el5
libselinux-1.33.4-4.el5
policycoreutils-newrole-1.33.12-4.el5
[root@zaphod ~]# 

Awaiting official release to close bug

Comment 25 Steve Grubb 2007-03-07 22:56:21 UTC
Klaus, is this bug fixed in util-linux-2.13-0.44? Can this be closed?

Comment 26 Klaus Heinrich Kiwi 2007-03-08 00:04:11 UTC
(In reply to comment #25)
> Klaus, is this bug fixed in util-linux-2.13-0.44? Can this be closed?

Steve,

 everything seems fine:
[root/sysadm_r/SystemLow@bracer2 ~]# chcon -t mount_tmp_t boot.iso
[root/sysadm_r/SystemLow@bracer2 ~]# mount -vo
loop,context=\"root:object_r:root_t:s0:c1,c4\",ro boot.iso /media/cdrom/
mount: translated context 'root:object_r:root_t:s0:c1,c4' to
'root:object_r:root_t:s0:c1,c4'
mount: going to use the loop device /dev/loop0
mount: you didn't specify a filesystem type for /dev/loop0
       I will try type iso9660
/root/boot.iso on /media/cdrom type iso9660
(ro,loop=/dev/loop0,context="root:object_r:root_t:s0:c1,c4")
[root/sysadm_r/SystemLow@bracer2 ~]# mount
/dev/mapper/VolGroup00-LvRoot on / type ext3 (rw,user_xattr,acl)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw,user_xattr,acl)
tmpfs on /dev/shm type tmpfs (rw)
/dev/mapper/VolGroup00-LvHome on /home type ext3 (rw,user_xattr,acl)
/dev/mapper/VolGroup00-LvLogs on /var/log type ext3 (rw,user_xattr,acl)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
/root/boot.iso on /media/cdrom type iso9660
(ro,loop=/dev/loop0,context="root:object_r:root_t:s0:c1,c4")
[root/sysadm_r/SystemLow@bracer2 ~]# ls -lZ /media/
drwxr-sr-x  root root root:object_r:root_t:s0:c1,c4    cdrom
[root/sysadm_r/SystemLow@bracer2 ~]#  

relevant packages:
[root/sysadm_r/SystemLow@bracer2 ~]# rpm -qa | egrep
'libselinux|util-linux|kernel|mcstrans'
mcstrans-0.2.3-1.el5
libselinux-python-1.33.4-4.el5
kernel-headers-2.6.18-8.el5
kernel-2.6.18-8.el5
kernel-devel-2.6.18-8.el5
kernel-devel-2.6.18-8.el5.lspp.67
libselinux-1.33.4-4.el5
libselinux-1.33.4-4.el5
libselinux-devel-1.33.4-4.el5
util-linux-2.13-0.44.el5
kernel-2.6.18-8.el5.lspp.67


Since we already got problems with the context size, maybe it would be a good
idea to test mount against a context with a large number of categories.

I'll check if we have such testcase here.

Comment 27 Steve Grubb 2007-03-08 15:34:12 UTC
Closing this as its believed to be fixed.


Note You need to log in before you can comment on or make changes to this bug.