Another mount issue
Paul Howarth
paul at city-fan.org
Thu Jun 8 10:10:02 UTC 2006
Daniel J Walsh wrote:
> Paul Howarth wrote:
>> On my file/web/samba/nfs server I have a software archive, which I serve
>> out using both samba and httpd. So the whole thing as
>> public_content_rw_t, and the appropriate boolean set so that samba can
>> write to it.
>>
>> On the software archive I have DVD ISO images of FC4 and FC5. I have
>> fstab entries for these to loopback mount them as follows:
>>
>> /srv/softlib/fedora/stentz/FC4-i386-DVD.iso
>> /srv/softlib/fedora/stentz/dvd iso9660
>> ro,loop,fscontext=system_u:object_r:public_content_t 0 0
>>
>> /srv/softlib/fedora/bordeaux/FC-5-i386-DVD.iso
>> /srv/softlib/fedora/bordeaux/dvd iso9660
>> ro,loop,fscontext=system_u:object_r:public_content_t 0 0
>>
>> Unfortunately the mount won't work at boot time because mount is
>> confined to the mount_t domain, which can't read public_content_rw_t:
>>
>> Apr 21 08:40:21 badby kernel: audit(1145605218.512:331): avc: denied
>> { read } for pid=1469 comm="mount" name="FC4-i386-DVD.iso" dev=dm-5
>> ino=1032205 scontext=system_u:system_r:mount_t:s0
>> tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file
>>
>> Apr 21 08:40:21 badby kernel: audit(1145605218.564:332): avc: denied
>> { read } for pid=1469 comm="mount" name="FC-5-i386-DVD.iso" dev=dm-5
>> ino=606259 scontext=system_u:system_r:mount_t:s0
>> tcontext=root:object_r:public_content_rw_t:s0 tclass=file
>>
>> A "mount -a" after booting works fine as it then runs unconfined.
>>
>> Is this something that should be generally allowed or should I just
>> write local policy to fix this?
>>
> Adding boolean allow_mount_anyfile, to handle these situations.
It now gets denied in a different way:
type=AVC msg=audit(1149761176.924:18354): avc: denied { mounton } for
pid=10977 comm="mount" name="dvd" dev=dm-5 ino=1032207
scontext=root:system_r:mount_t:s0
tcontext=system_u:object_r:public_content_rw_t:s0 tclass=dir
type=SYSCALL msg=audit(1149761176.924:18354): arch=40000003 syscall=21
success=no exit=-13 a0=a002ab0 a1=a002ac0 a2=9ffefc0 a3=c0ed0001 items=1
pid=10977 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="mount" exe="/bin/mount"
type=AVC_PATH msg=audit(1149761176.924:18354):
path="/srv/softlib/fedora/stentz/dvd"
type=CWD msg=audit(1149761176.924:18354): cwd="/"
type=PATH msg=audit(1149761176.924:18354): item=0
name="/srv/softlib/fedora/stentz/dvd" flags=1 inode=1032207 dev=fd:05
mode=040755 ouid=503 ogid=503 rdev=00:00
Paul.
More information about the fedora-selinux-list
mailing list