[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Selinux disallows read-only loop mount of a file, but only at boot [SOLVED]



David wrote:
> I'm attempting to mount a loop device (a ro file) at boot using fstab.
> My fstab entry works fine from the command line, but it fails at boot
> time due to a selinux avc error. I assume this is due to incorrect
> file context. The file is under a nonstandard top level directory, so
> I need to specifically assign it the correct file context, which I
> would do if I could figure out what it ought to be.
>   

mount_loopback_t.

The reason why

cat /etc/selinux/targeted/contexts/files/file_contexts | grep mount

did not give the answer is because there are no files installed by
default with that label.


> Where do I look on the system to discover what is the correct file
> context required by mount at boot time?
>   

[Disclaimer: the commands below were run on a F10 box.  Try them on your
box to verify.]

Method 1:  use the sesearch command to find rules in the policy.

# yum install setools-console
# man sesearch
# sesearch -A -s mount_t -c file -p read  |  grep loop
allow mount_t mount_loopback_t : file { ioctl read getattr lock } ;
#

If you leave off the "grep loop" you get a much longer list of things
mount_t is allowed to read, but you can still find mount_loopback_t, 
sorting the list helps.



Method 2:  look at the refpolicy source.

# yum install yum-utils
# cd ~
# yumdownloader --source selinux-policy
# rpm -i selinux-policy-*.src.rpm
# cd rpmbuild/SOURCES
# tar ztf serefpolicy-3.5.13.tgz | grep mount
serefpolicy-3.5.13/policy/modules/services/automount.fc
serefpolicy-3.5.13/policy/modules/services/automount.te
serefpolicy-3.5.13/policy/modules/services/automount.if
serefpolicy-3.5.13/policy/modules/system/mount.fc
serefpolicy-3.5.13/policy/modules/system/mount.if
serefpolicy-3.5.13/policy/modules/system/mount.te
# tar zxf serefpolicy-3.5.13.tgz  --wildcards --no-anchored '*/mount.te'
# grep loop serefpolicy-3.5.13/policy/modules/system/mount.te
type mount_loopback_t; # customizable
files_type(mount_loopback_t)
allow mount_t mount_loopback_t:file read_file_perms;
#

Again, if you didn't know to grep for "loop" you could read the whole
.te file.  The three lines above all appear on the first page of the file.


Method 3: browse the refpolicy source online:
http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/system/mount.te

 


-- 
Eamon Walsh <ewalsh tycho nsa gov>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]