Another mount issue

[Daniel J Walsh]

Paul Howarth wrote:
> On my file/web/samba/nfs server I have a software archive, which I serve
> out using both samba and httpd. So the whole thing as
> public_content_rw_t, and the appropriate boolean set so that samba can
> write to it.
>
> On the software archive I have DVD ISO images of FC4 and FC5. I have
> fstab entries for these to loopback mount them as follows:
>
> /srv/softlib/fedora/stentz/FC4-i386-DVD.iso /srv/softlib/fedora/stentz/dvd iso9660 ro,loop,fscontext=system_u:object_r:public_content_t 0 0
>
> /srv/softlib/fedora/bordeaux/FC-5-i386-DVD.iso /srv/softlib/fedora/bordeaux/dvd iso9660 ro,loop,fscontext=system_u:object_r:public_content_t 0 0
>
> Unfortunately the mount won't work at boot time because mount is
> confined to the mount_t domain, which can't read public_content_rw_t:
>
> Apr 21 08:40:21 badby kernel: audit(1145605218.512:331): avc:  denied
> { read } for  pid=1469 comm="mount" name="FC4-i386-DVD.iso" dev=dm-5
> ino=1032205 scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file
>
> Apr 21 08:40:21 badby kernel: audit(1145605218.564:332): avc:  denied
> { read } for  pid=1469 comm="mount" name="FC-5-i386-DVD.iso" dev=dm-5
> ino=606259 scontext=system_u:system_r:mount_t:s0
> tcontext=root:object_r:public_content_rw_t:s0 tclass=file
>
> A "mount -a" after booting works fine as it then runs unconfined.
>
> Is this something that should be generally allowed or should I just
> write local policy to fix this?
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   
Adding boolean allow_mount_anyfile, to handle these situations.