Selinux disallows read-only loop mount of a file, but only at boot [SOLVED]

David bouncingcats at gmail.com
Tue May 5 15:56:42 UTC 2009 

I'm attempting to mount a loop device (a ro file) at boot using fstab.
My fstab entry works fine from the command line, but it fails at boot
time due to a selinux avc error. I assume this is due to incorrect
file context. The file is under a nonstandard top level directory, so
I need to specifically assign it the correct file context, which I
would do if I could figure out what it ought to be.

Where do I look on the system to discover what is the correct file
context required by mount at boot time?

The file and context are:
$ ls -lZ /HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso
-r--r-----  root share unconfined_u:object_r:default_t:s0
/HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso

The fstab line is:
/HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso	/mnt/Fedora-09-i386-DVD	iso9660	loop,ro,gid=share
0 0

The command line that works is:
# mount /mnt/Fedora-09-i386-DVD

The boot-time error messages are:
Mounting local filesystems:
/HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso: Permission
denied [FAILED]
Mounting other filesystems:
/HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso: Permission
denied [FAILED]

The dmesg error is:
type=1400 audit(1241535886.437:4): avc:  denied  { read } for
pid=1335 comm="mount" name="Fedora-09-i386-DVD.iso" dev=sdb2 ino=1922
scontext=system_u:system_r:mount_t:s0
tcontext=unconfined_u:object_r:default_t:s0 tclass=file

My selinux policy is:
# rpm -qa 'selinux-policy-targeted*'
selinux-policy-targeted-3.3.1-132.fc9.noarch

My selinux status is:
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 22
Policy from config file:        targeted

My os is:
# uname -r
2.6.25-14.fc9.i686

I have the following boolean unset because I wish to utilise selinux
file context to restrict which files can be mounted:
# getsebool allow_mount_anyfile
allow_mount_anyfile --> off

Interestingly, I did discover that the following command allows
subsequent boot-time mounts to succeed:
# chcon -t mount_exec_t /HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso

But I am unsure whether this is the correct solution.

Where do I look on the system to discover what is the correct file
context required by mount at boot time?

More information about the fedora-list mailing list