| View previous topic :: View next topic |
| Author |
Message |
Fulgurance
Veteran
Joined: 15 Feb 2017
Posts: 1220
|
 Posted: Tue Feb 07, 2023 9:41 am Post subject: Problem with tmpfs file systems with selinux |
 |
|
Hello, yesterday I finally start to setup properly selinux. I disabled it before I decide to setup it properly, it wasn't my priority 
But when my system start, it unable to mount the tmpfs file systems.
This problem occured when I start to add the required options for the selinux context in my fstab file:
| Code: | # <fs> <mountpoint> <type> <opts> <dump/pass>
/dev/nvme0n1p2 /boot btrfs relatime 0 2
/dev/mapper/System-Root / btrfs relatime 0 1
/dev/mapper/System-Swap none swap sw 0 0
tmpfs /tmp tmpfs rw,rootcontext=system_u:object_r:tmp_t:s0 0 0
tmpfs /var/tmp tmpfs rw,rootcontext=system_u:object_r:tmp_t:s0 0 0 |
This the error I have at boot time:
| Code: | 07/02/2023 09:43 localmount | * Mounting local filesystems ...
07/02/2023 09:43 localmount |mount: /tmp: wrong fs type, bad option, bad superblock on tmpfs, missing codepage or helper program, or other error.
07/02/2023 09:43 localmount | dmesg(1) may have more information after failed mount system call.
07/02/2023 09:43 localmount |mount: /var/tmp: wrong fs type, bad option, bad superblock on tmpfs, missing codepage or helper program, or other error.
07/02/2023 09:43 localmount | dmesg(1) may have more information after failed mount system call.
07/02/2023 09:43 localmount | * Some local filesystem failed to mount
|
The strange thing is, if I perform a test, I don't have any error:
| Code: | zohran@alienware-m17-r3 ~ $ sudo findmnt --verify --verbose
Password:
/boot
[ ] target exists
[ ] VFS options: relatime
[ ] source /dev/nvme0n1p2 exists
[ ] FS type is btrfs
/
[ ] target exists
[ ] VFS options: relatime
[ ] source /dev/mapper/System-Root exists
[ ] FS type is btrfs
none
[ ] source /dev/mapper/System-Swap exists
[ ] FS type is swap
/tmp
[ ] target exists
[ ] VFS options: rw
[ ] FS options: rootcontext=system_u:object_r:tmp_t:s0
[ ] do not check tmpfs source (pseudo/net)
[ ] do not check tmpfs FS type (pseudo/net)
/var/tmp
[ ] target exists
[ ] VFS options: rw
[ ] FS options: rootcontext=system_u:object_r:tmp_t:s0
[ ] do not check tmpfs source (pseudo/net)
[ ] do not check tmpfs FS type (pseudo/net)
Success, no errors or warnings detected |
Is it a bug ?
I'm running actually permissive mode with the strict policy.
| Code: | zohran@alienware-m17-r3 ~ $ id -Z
staff_u:staff_r:staff_t |
_________________
My actual project: https://github.com/Fulgurance/ISM
Ingenius Software Manager is a tool to build and manage a Linux system from scratch.
It will able to manage a linux installation just with a given path to the futur root path |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3882
|
| Posted: Tue Feb 07, 2023 10:53 am Post subject: |
|
|
In fstab remove the
in tmpfs mounts.
This is only used when selinux is in an "mls" or "mcs" policy type.
Plz post your
| Code: |
/etc/selinux/config
|
Probably yours is "strict"
_________________
 |
|
| Back to top |
|
|
Fulgurance
Veteran
Joined: 15 Feb 2017
Posts: 1220
|
| Posted: Tue Feb 07, 2023 1:08 pm Post subject: |
|
|
So I did what you said, but again at boot time, I have the same error.
My config file:
| Code: | # This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level)
SELINUXTYPE=strict |
_________________
My actual project: https://github.com/Fulgurance/ISM
Ingenius Software Manager is a tool to build and manage a Linux system from scratch.
It will able to manage a linux installation just with a given path to the futur root path |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3882
|
| Posted: Tue Feb 07, 2023 1:43 pm Post subject: |
|
|
Do you have something like
| Code: |
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y
CONFIG_DEVTMPFS_SAFE=y
CONFIG_TMPFS=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_TMPFS_XATTR=y
CONFIG_TMPFS_INODE64=y
|
in your .config?
_________________
|
|
| Back to top |
|
|
Fulgurance
Veteran
Joined: 15 Feb 2017
Posts: 1220
|
| Posted: Wed Feb 08, 2023 4:55 pm Post subject: |
|
|
| Code: | alienware-m17-r3 /home/zohran # cat /boot/config-6.1.9-gentoo | grep TMPFS
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y
# CONFIG_DEVTMPFS_SAFE is not set
CONFIG_TMPFS=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_TMPFS_XATTR=y
# CONFIG_TMPFS_INODE64 is not set |
Do I need to disable all options you shown me or few of them ?
_________________
My actual project: https://github.com/Fulgurance/ISM
Ingenius Software Manager is a tool to build and manage a Linux system from scratch.
It will able to manage a linux installation just with a given path to the futur root path |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3882
|
| Posted: Wed Feb 08, 2023 5:54 pm Post subject: |
|
|
No you should keep them.
_________________
|
|
| Back to top |
|
|
Fulgurance
Veteran
Joined: 15 Feb 2017
Posts: 1220
|
| Posted: Wed Feb 08, 2023 8:47 pm Post subject: |
|
|
So do I need to enable this one:?
| Code: | # CONFIG_DEVTMPFS_SAFE is not set
# CONFIG_TMPFS_INODE64 is not set |
Maybe it's the main problem actually ?
_________________
My actual project: https://github.com/Fulgurance/ISM
Ingenius Software Manager is a tool to build and manage a Linux system from scratch.
It will able to manage a linux installation just with a given path to the futur root path |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3882
|
| Posted: Wed Feb 08, 2023 8:57 pm Post subject: |
|
|
CONFIG_DEVTMPFS_SAFE
allows tmpfs to be mounted nosuuid,noexec.
I am uncertain about the other one.My .config was initially created by localmodconfig.
You might wish to enable them from menuconfig.
_________________
|
|
| Back to top |
|
|
Fulgurance
Veteran
Joined: 15 Feb 2017
Posts: 1220
|
| Posted: Thu Feb 09, 2023 10:08 am Post subject: |
|
|
I enabled both of them. And now, in my /etc/fstab, if I remove s0 option, it work.
Thanks !
_________________
My actual project: https://github.com/Fulgurance/ISM
Ingenius Software Manager is a tool to build and manage a Linux system from scratch.
It will able to manage a linux installation just with a given path to the futur root path |
|
| Back to top |
|
|
|
Other Things Gentoo
