[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: SE Linux preventing mounting an iso on FC5 through nfs
- From: Stephen Smalley <sds tycho nsa gov>
- To: Matthew Shapiro <mshapiro mail ucf edu>
- Cc: fedora-selinux-list redhat com
- Subject: Re: SE Linux preventing mounting an iso on FC5 through nfs
- Date: Thu, 11 Jan 2007 16:26:55 -0500
On Thu, 2007-01-11 at 16:04 -0500, Matthew Shapiro wrote:
> >>> Stephen Smalley <sds tycho nsa gov> 01/11/07 3:07 PM >>>
> >audit2allow -M local < /var/log/messages
> >semodule -i local.pp
>
> Wow that makes life simple. Thanks a lot!
>
> >Did you look at the Fedora SELinux FAQ and wiki pages?
> >http://fedora.redhat.com/docs/selinux-faq-fc5/
> >http://fedoraproject.org/wiki/SELinux/
>
> Actually I did not know about these (the HOWTO's I found was a policy
> HOWTO and a general (focused on debian) SELinux introduction). This
> look like great resources though.
>
> > Are you actually using strict policy? It isn't the default in Fedora.
>
> Ah that explains it. I actually got confused with the versions
> (installed the strict src from fc3 by accident, targeted wouldn't
> install) and that explains why my last attempt didn't work. I
> confirmed and it is setup to use targeted. Though the loadable modules
> that I now know about make doing this much easier anyways.
>
> >nfs_t is a file type, not a process domain, and you want to allow
> >mount_t to read nfs_t:file, not transition into it.
>
> Gotcha. From the documentation I read it made it seem like the _t
> denoted a domain. Guess I have some more reading to do to fully
> understand everything that is going on.
A domain is just a kind of type, specifically a process type. SELinux
collapses the two concepts together.
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]