3

For a long time I have been running Fedora with disabled SELinux. Since it seems like SELinux is recommended to be running and in targeted mode for desktop use, I decided to enable it. I set it to enforcing and targeted mode. After I rebooted my system, there was a lengthy filesystem relabeling. After it completed, it failed to complete the boot because of failed mount service, it entered emergency mode, and prompted me for administrator password. The filesystem that failed to mount was this fstab entry:

/dev/disk/by-label/Acer /run/media/user/Acer/ ntfs uid=1000,gid=1000,umask=003,auto 0 0

I was able to mount the partition successfully with

# mkdir -p /run/media/user/Acer ; and mount /dev/disk/by-label/Acer /run/media/user/Acer -t ntfs -o uid=1000,gid=1000,umask=003

I set SELinux to permissive mode, rebooted the system and it booted successfully, with the NTFS partition mounted.

I read about SELinux Labels on the Gentoo Wiki. I then checked the SELinux Label of the mounted filesystem:

$ ls -lZ /run/media/user/
drwxrwxr--. 1 user user system_u:object_r:fusefs_t:s0 12288 2017-01-22 10:11 Acer/

# getsebool fusefs_t
Error getting active value for fusefs_t

# grep -E 'mount|ntfs|fstab|fusefs_t' /var/log/audit/audit.log

The output the grep command is empty and audit2why --all shows no errors.

$ mount | grep /run/media/user/
/dev/sda3 on /run/media/user/Acer type fuseblk (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,blksize=4096)

The reason I use /run/media is that when I installed Fedora, I used KDE and Dolphin, and it mounted my NTFS partition (labeled Acer) in the /run/media/ directory. I wanted to be able to use it without having to manually mount it every time, so I added the fstab entry emulating the same path Dolphin was using (or udisksctl).

A similar problem with Samba was fixed with setsebool -P samba_share_fusefs=1. However, I am not using Samba and getsebool for fusefs_t fails, so I am not sure if I should use either of them. Do I need to add a context to the fstab mount entry so it ignores the NTFS filesystem?

In addition to the SELinux problem, is my approach here wrong? Is it considered harmful to use the /run/media/ directory for fstab entries? Is there a more idiomatic approach to auto mount user data filesystems that are meant to be used only as media storage? Is the approach in this answer better practice?

Update: I worked around this problem by first creating a /mnt/Acer/ directory and then changing the fstab entry to

/dev/disk/by-label/Acer /mnt/Acer/ ntfs uid=1000,gid=1000,umask=003,auto 0 0
Bob
  • 235
  • Your mount should not have the context of fusefs_t. What is the output of mount | grep /run/media/user?

    You should consider mounting the media as mount -t ntfs /dev/disk/by-label/Acer /media/storage -o context=system_u:object_r:user_home_t:s0 and see if that works.

     – Patrick May 23 '17 at 20:37
  • I added the output of mount | grep /run/media/user to the question. I changed the context to system_u:object_r:user_home_t:s0 but it did not work. The only thing that worked was mounting to an existing directory - first creating a /mnt/Acer/ directory, then pointing the fstab entry to it. – Bob May 28 '17 at 16:58

0 Answers0