| View previous topic :: View next topic |
| Author |
Message |
useless_it
n00b
Joined: 24 Sep 2019
Posts: 12
|
 Posted: Tue Sep 24, 2019 8:09 am Post subject: mtab: /etc is not writable; unable to create /etc/mtab |
 |
|
Hi!
I recently changed my gentoo profile from desktop to default/linux/amd64/17.1/selinux, following the SELinux Install guide from the wiki. Everything went OK, except for the mtab service failing to start (which only soft-links /etc/mtab to /proc/self/mounts apparently). I'm using the strict SELinux policy.
Labels seem ok:
| Code: | ls -Z /etc/mtab
staff_u:object_r:etc_t /etc/mtab |
and
| Code: | ls -Z /etc/init.d/mtab
system_u:object_r:initrc_exec_t /etc/init.d/mtab |
Restarting the service gives:
| Code: | rc-service mtab restart
mtab | * WARNING: you are stopping a boot service
mtab | * Updating /etc/mtab ...
mtab | * /etc is not writable; unable to create /etc/mtab [ !! ] |
SELinux and policy version:
| Code: | sec-policy/selinux-base
Latest version available: 2.20180701-r1
Latest version installed: 2.20180701-r1
sec-policy/selinux-base-policy
Latest version available: 2.20180701-r1
Latest version installed: 2.20180701-r1 |
Any ideas? |
|
| Back to top |
|
 |
guitou
Guru
Joined: 02 Oct 2003
Posts: 534
Location: France
|
| Posted: Tue Sep 24, 2019 11:37 am Post subject: |
|
|
Hello.
Don't know anything about SELinux, but at least I could tell that file /etc/mtab definitely needs to be writable: this is where system track actual mounts.
Maybe you could try and make it a link to somewhere writable...
++
Gi) |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Tue Sep 24, 2019 4:53 pm Post subject: |
|
|
| guitou wrote: | | but at least I could tell that file /etc/mtab definitely needs to be writable |
except that it doesn't complain that /etc/mtab is not writable  |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54834
Location: 56N 3W
|
| Posted: Tue Sep 24, 2019 5:16 pm Post subject: |
|
|
useless_it,
Welcome to gentoo.
/etc/init.d/mtab contains
| Code: | ewarn "The ${RC_SVCNAME} service will be removed in the future."
ewarn "Please change the mtab_is_file setting to no and run"
ewarn "# rc-service mtab restart"
ewarn "to create the mtab symbolic link." |
What do you have in /etc/conf.d/mtab ?
Everything should be commented out.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
useless_it
n00b
Joined: 24 Sep 2019
Posts: 12
|
| Posted: Tue Sep 24, 2019 5:19 pm Post subject: |
|
|
| guitou wrote: | Hello.
Don't know anything about SELinux, but at least I could tell that file /etc/mtab definitely needs to be writable: this is where system track actual mounts.
Maybe you could try and make it a link to somewhere writable...
++
Gi) |
Well apparently, in the scope of SELinux, no process should be allowed to write in the whole /etc dir, which seem reasonable. If I remove the check from the /etc/init.d/mtab file: | Code: |
start()
{
local rc=0
ebegin "Updating /etc/mtab"
# if ! checkpath -W /etc; then
# rc=1
# elif ! yesno ${mtab_is_file:-no}; then
if ! yesno ${mtab_is_file:-no}; then
[ ! -L /etc/mtab ] && [ -f /etc/mtab ] &&
ewarn "Removing /etc/mtab file"
einfo "Creating mtab symbolic link"
ln -snf /proc/self/mounts /etc/mtab |
The symbolic link creation fails: | Code: | rc-service mtab restart
mtab | * WARNING: you are stopping a boot service
mtab | * Caching service dependencies ... [ ok ]
mtab | * Updating /etc/mtab ...
mtab | * Creating mtab symbolic link
mtab |ln: fallo al crear el enlace simbólico '/etc/mtab': Permiso denegado |
(sorry for the localization, it says Permission denied).
It seems, then, that the issue here might be a bug in the SELinux policy. This is the relevant audit log:
| Code: | | type=AVC msg=audit(1569344802.875:1438): avc: denied { create } for pid=4012 comm="ln" name="CubIScRc" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:etc_t tclass=lnk_file permissive=0 |
|
|
| Back to top |
|
|
useless_it
n00b
Joined: 24 Sep 2019
Posts: 12
|
| Posted: Tue Sep 24, 2019 5:30 pm Post subject: |
|
|
| NeddySeagoon wrote: | useless_it,
Welcome to gentoo.
/etc/init.d/mtab contains
| Code: | ewarn "The ${RC_SVCNAME} service will be removed in the future."
ewarn "Please change the mtab_is_file setting to no and run"
ewarn "# rc-service mtab restart"
ewarn "to create the mtab symbolic link." |
What do you have in /etc/conf.d/mtab ?
Everything should be commented out. |
Everything is commented out. I do have the symlink pointing to the right path, manually recreated.
I didn't know the service file will be removed. If that's the case, this is a non-issue then. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23093
|
| Posted: Wed Sep 25, 2019 12:50 am Post subject: |
|
|
| guitou wrote: | | Don't know anything about SELinux, but at least I could tell that file /etc/mtab definitely needs to be writable: this is where system track actual mounts. |
Definitely not. This was a questionable idea back when it was new, and it has been an actively bad idea for a long time. /etc/mtab is only accurate if mount has consistently maintained it, while /proc/self/mounts is always automatically correct (but for historical reasons, may omit some things that mount would have saved in /etc/mtab). In the presence of mount namespaces, the situation is even more complicated. | useless_it wrote: | | (sorry for the localization, it says Permission denied). |
You can override this on a per-program basis by setting LC_MESSAGES=C in the program's environment. This can be helpful if you want your system to be localized most of the time, but sometimes need an English message for posting on a forum. (You can also change the message to any non-default non-English you have installed, with the right setting of LC_MESSAGES. However, the most common interesting settings are your preferred language and English.) |
|
| Back to top |
|
|
|
Networking & Security
