[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Another mount issue



Paul Howarth wrote:
On my file/web/samba/nfs server I have a software archive, which I serve
out using both samba and httpd. So the whole thing as
public_content_rw_t, and the appropriate boolean set so that samba can
write to it.

On the software archive I have DVD ISO images of FC4 and FC5. I have
fstab entries for these to loopback mount them as follows:

/srv/softlib/fedora/stentz/FC4-i386-DVD.iso /srv/softlib/fedora/stentz/dvd iso9660 ro,loop,fscontext=system_u:object_r:public_content_t 0 0

/srv/softlib/fedora/bordeaux/FC-5-i386-DVD.iso /srv/softlib/fedora/bordeaux/dvd iso9660 ro,loop,fscontext=system_u:object_r:public_content_t 0 0

Unfortunately the mount won't work at boot time because mount is
confined to the mount_t domain, which can't read public_content_rw_t:

Apr 21 08:40:21 badby kernel: audit(1145605218.512:331): avc:  denied
{ read } for  pid=1469 comm="mount" name="FC4-i386-DVD.iso" dev=dm-5
ino=1032205 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file

Apr 21 08:40:21 badby kernel: audit(1145605218.564:332): avc:  denied
{ read } for  pid=1469 comm="mount" name="FC-5-i386-DVD.iso" dev=dm-5
ino=606259 scontext=system_u:system_r:mount_t:s0
tcontext=root:object_r:public_content_rw_t:s0 tclass=file

A "mount -a" after booting works fine as it then runs unconfined.

Is this something that should be generally allowed or should I just
write local policy to fix this?

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Adding boolean allow_mount_anyfile, to handle these situations.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]