Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
mtab: /etc is not writable; unable to create /etc/mtab
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
useless_it
n00b
n00b


Joined: 24 Sep 2019
Posts: 12

PostPosted: Tue Sep 24, 2019 8:09 am    Post subject: mtab: /etc is not writable; unable to create /etc/mtab Reply with quote

Hi!

I recently changed my gentoo profile from desktop to default/linux/amd64/17.1/selinux, following the SELinux Install guide from the wiki. Everything went OK, except for the mtab service failing to start (which only soft-links /etc/mtab to /proc/self/mounts apparently). I'm using the strict SELinux policy.
Labels seem ok:
Code:
ls -Z /etc/mtab
staff_u:object_r:etc_t /etc/mtab

and
Code:
ls -Z /etc/init.d/mtab
system_u:object_r:initrc_exec_t /etc/init.d/mtab


Restarting the service gives:
Code:
rc-service mtab restart
mtab    | * WARNING: you are stopping a boot service
mtab    | * Updating /etc/mtab ...
mtab    | * /etc is not writable; unable to create /etc/mtab    [ !! ]


SELinux and policy version:
Code:
sec-policy/selinux-base
      Latest version available: 2.20180701-r1
      Latest version installed: 2.20180701-r1

sec-policy/selinux-base-policy
      Latest version available: 2.20180701-r1
      Latest version installed: 2.20180701-r1


Any ideas?
Back to top
View user's profile Send private message
guitou
Guru
Guru


Joined: 02 Oct 2003
Posts: 451
Location: France

PostPosted: Tue Sep 24, 2019 11:37 am    Post subject: Reply with quote

Hello.

Don't know anything about SELinux, but at least I could tell that file /etc/mtab definitely needs to be writable: this is where system track actual mounts.
Maybe you could try and make it a link to somewhere writable...

++
Gi)
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7405

PostPosted: Tue Sep 24, 2019 4:53 pm    Post subject: Reply with quote

guitou wrote:
but at least I could tell that file /etc/mtab definitely needs to be writable

except that it doesn't complain that /etc/mtab is not writable ;)
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 45390
Location: 56N 3W

PostPosted: Tue Sep 24, 2019 5:16 pm    Post subject: Reply with quote

useless_it,

Welcome to gentoo.

/etc/init.d/mtab contains
Code:
                ewarn "The ${RC_SVCNAME} service will be removed in the future."
                ewarn "Please change the mtab_is_file setting to no and run"
                ewarn "# rc-service mtab restart"
                ewarn "to create the mtab symbolic link."


What do you have in /etc/conf.d/mtab ?
Everything should be commented out.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
useless_it
n00b
n00b


Joined: 24 Sep 2019
Posts: 12

PostPosted: Tue Sep 24, 2019 5:19 pm    Post subject: Reply with quote

guitou wrote:
Hello.

Don't know anything about SELinux, but at least I could tell that file /etc/mtab definitely needs to be writable: this is where system track actual mounts.
Maybe you could try and make it a link to somewhere writable...

++
Gi)


Well apparently, in the scope of SELinux, no process should be allowed to write in the whole /etc dir, which seem reasonable. If I remove the check from the /etc/init.d/mtab file:
Code:

start()
{
        local rc=0
        ebegin "Updating /etc/mtab"
#       if ! checkpath -W /etc; then
#               rc=1
#       elif ! yesno ${mtab_is_file:-no}; then
        if ! yesno ${mtab_is_file:-no}; then
                [ ! -L /etc/mtab ] && [ -f /etc/mtab ] &&
                        ewarn "Removing /etc/mtab file"
                einfo "Creating mtab symbolic link"
                ln -snf /proc/self/mounts /etc/mtab

The symbolic link creation fails:
Code:
rc-service mtab restart
mtab              | * WARNING: you are stopping a boot service
mtab              | * Caching service dependencies ...                                                                                                                                    [ ok ]
mtab              | * Updating /etc/mtab ...
mtab              | * Creating mtab symbolic link
mtab              |ln: fallo al crear el enlace simbólico '/etc/mtab': Permiso denegado

(sorry for the localization, it says Permission denied).

It seems, then, that the issue here might be a bug in the SELinux policy. This is the relevant audit log:
Code:
type=AVC msg=audit(1569344802.875:1438): avc:  denied  { create } for  pid=4012 comm="ln" name="CubIScRc" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:etc_t tclass=lnk_file permissive=0
Back to top
View user's profile Send private message
useless_it
n00b
n00b


Joined: 24 Sep 2019
Posts: 12

PostPosted: Tue Sep 24, 2019 5:30 pm    Post subject: Reply with quote

NeddySeagoon wrote:
useless_it,

Welcome to gentoo.

/etc/init.d/mtab contains
Code:
                ewarn "The ${RC_SVCNAME} service will be removed in the future."
                ewarn "Please change the mtab_is_file setting to no and run"
                ewarn "# rc-service mtab restart"
                ewarn "to create the mtab symbolic link."


What do you have in /etc/conf.d/mtab ?
Everything should be commented out.


Everything is commented out. I do have the symlink pointing to the right path, manually recreated.

I didn't know the service file will be removed. If that's the case, this is a non-issue then.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15294

PostPosted: Wed Sep 25, 2019 12:50 am    Post subject: Reply with quote

guitou wrote:
Don't know anything about SELinux, but at least I could tell that file /etc/mtab definitely needs to be writable: this is where system track actual mounts.
Definitely not. This was a questionable idea back when it was new, and it has been an actively bad idea for a long time. /etc/mtab is only accurate if mount has consistently maintained it, while /proc/self/mounts is always automatically correct (but for historical reasons, may omit some things that mount would have saved in /etc/mtab). In the presence of mount namespaces, the situation is even more complicated.
useless_it wrote:
(sorry for the localization, it says Permission denied).
You can override this on a per-program basis by setting LC_MESSAGES=C in the program's environment. This can be helpful if you want your system to be localized most of the time, but sometimes need an English message for posting on a forum. (You can also change the message to any non-default non-English you have installed, with the right setting of LC_MESSAGES. However, the most common interesting settings are your preferred language and English.)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum