[systemd-devel] automount EFI system partition to /efi fails

Zbigniew Jędrzejewski-Szmek zbyszek at in.waw.pl
Wed Apr 25 08:10:17 UTC 2018 

On Wed, Apr 25, 2018 at 07:48:13AM +0000, Zbigniew Jędrzejewski-Szmek wrote:
> On Tue, Apr 24, 2018 at 06:47:24PM -0600, Chris Murphy wrote:
> > https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/
> > *The ESP used for the current boot is automatically mounted to /efi (or
> > /boot as fallback),*
> > 
> > systemd-238-7.fc28.1.x86_64
> > 
> > I've commented out the /boot/efi entry in /etc/fstab and reboot but the ESP
> > doesn't get mounted to /efi or /boot or /boot/efi.
> 
> gpt-auto-generator cannot mount anything to a nested directory,
> because when it's running the outer mount (/boot in this case) will
> not be done yet, hence it cannot check if /boot/efi is a directory. So
> by design it will only consider /efi and /boot as the targets.
>  
> > Full journal with systemd.log_level=debug.
> > https://drive.google.com/open?id=1b4Lfd0HurX4Z68T1jAHYMC0wy51tQwtk
> > 
> > I get a couple of confusing items:
> > 
> > [    3.971099] f28h.local systemd-gpt-auto-generator[476]: /efi already
> > populated, ignoring.
> > [    4.102022] f28h.local audit[476]: AVC avc:  denied  { read } for
> >  pid=476 comm="systemd-gpt-aut" name="efi" dev="nvme0n1p9" ino=3999777
> > scontext=system_u:system_r:systemd_gpt_generator_t:s0
> > tcontext=unconfined_u:object_r:default_t:s0 tclass=dir permissive=0
> > 
> > 
> > It's definitely empty. But maybe it's due to the avc. chcon fails to set
> > the type to systemd_gpt_generator_t which itself gives me an avc.
> 
> It's possible that this is the cause. From the AVC we don't see the name,
> but we know it's a directory and read() fails on it. Failure to list the
> directory will cause gpt-auto-generator to consider the directory busy,
> which would lead to the "/efi already populated" message.

https://github.com/systemd/systemd/pull/8812 has a patch to improve
logging in this case.

Zbyszek

> > Apr 24 18:42:49 f28h.local audit[4486]: AVC avc:  denied  { relabelto } for
> >  pid=4486 comm="chcon" name="efi" dev="nvme0n1p9" ino=3999777
> > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:systemd_gpt_generator_t:s0 tclass=dir
> > permissive=0
> > 
> > 
> > Next
> > 
> > 
> > [    6.291607] f28h.local systemd[715]: Followed symlinks /efi → /efi.
> > [    6.291643] f28h.local systemd[715]: Applying namespace mount on /efi
> > [    6.291671] f28h.local systemd[715]: Successfully mounted /efi to /efi
> > [    6.294820] f28h.local systemd[715]: Remounted /efi read-only.
> > [    6.314602] f28h.local systemd[715]: Remounted /sys/firmware/efi/efivars
> > read-only.
> 
> It looks like /efi does get mounted. What mounted it?
> 
> Zbyszek

More information about the systemd-devel mailing list