On Mon, 2005-12-19 at 17:11 -0800, Derek Poon wrote:
> Hi,
>
> I'd like to report an odd behavior that I traced to SELinux. To mount
> my Mac OS X partition automatically, I have the following line in
> my /etc/fstab:
> /dev/hda3 /Macintosh\040HD hfsplus ro 0 0
>
> If I execute mount '/Macintosh HD' as root, this works fine.
> However, this mount fails during the boot process.
>
>
> If I execute
> (A) /etc/rc.d/init.d/netfs start
> as root, I get an error:
> mount: cannot mount block device /dev/hda3 read-only [FAILED]
>
>
> Running (A) under strace, I see
> mount("/dev/hda3", "/Macintosh HD", "hfsplus", MS_RDONLY|MS_POSIXACL|
> MS_ACTIVE|MS_NOUSER|0xec0000, 0x10037f58) = -1 EACCES (Permission
> denied)
>
> However, the following commands both succeed:
>
> (B) /bin/bash /etc/rc.d/init.d/netfs start
>
> (C) setenforce 0 ; /etc/rc.d/init.d/netfs start
>
>
> Obviously, (C) proves that SELinux is the culprit. The question is,
> under SELinux, why should (B) work while (A) fails? Since the netfs
> script has #!/bin/bash as the shebang line, shouldn't (A) and (B) be
> equivalent?
Running the init script causes a domain transition, as you want the init
script and any daemons it starts to run with a different set of
permissions than the user shell. Running it via bash leaves it in the
caller's domain (i.e. the user shell's domain), so it runs with those
permissions.
Check your /var/log/audit/audit.log for relevant AVC messages (or
use /sbin/ausearch to search for and interpret such messages).
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
