Another mount issue

Paul Howarth paul at city-fan.org
Thu Jun 8 10:10:02 UTC 2006 

Daniel J Walsh wrote:
> Paul Howarth wrote:
>> On my file/web/samba/nfs server I have a software archive, which I serve
>> out using both samba and httpd. So the whole thing as
>> public_content_rw_t, and the appropriate boolean set so that samba can
>> write to it.
>>
>> On the software archive I have DVD ISO images of FC4 and FC5. I have
>> fstab entries for these to loopback mount them as follows:
>>
>> /srv/softlib/fedora/stentz/FC4-i386-DVD.iso 
>> /srv/softlib/fedora/stentz/dvd iso9660 
>> ro,loop,fscontext=system_u:object_r:public_content_t 0 0
>>
>> /srv/softlib/fedora/bordeaux/FC-5-i386-DVD.iso 
>> /srv/softlib/fedora/bordeaux/dvd iso9660 
>> ro,loop,fscontext=system_u:object_r:public_content_t 0 0
>>
>> Unfortunately the mount won't work at boot time because mount is
>> confined to the mount_t domain, which can't read public_content_rw_t:
>>
>> Apr 21 08:40:21 badby kernel: audit(1145605218.512:331): avc:  denied
>> { read } for  pid=1469 comm="mount" name="FC4-i386-DVD.iso" dev=dm-5
>> ino=1032205 scontext=system_u:system_r:mount_t:s0
>> tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file
>>
>> Apr 21 08:40:21 badby kernel: audit(1145605218.564:332): avc:  denied
>> { read } for  pid=1469 comm="mount" name="FC-5-i386-DVD.iso" dev=dm-5
>> ino=606259 scontext=system_u:system_r:mount_t:s0
>> tcontext=root:object_r:public_content_rw_t:s0 tclass=file
>>
>> A "mount -a" after booting works fine as it then runs unconfined.
>>
>> Is this something that should be generally allowed or should I just
>> write local policy to fix this?
>>   
> Adding boolean allow_mount_anyfile, to handle these situations.

It now gets denied in a different way:

type=AVC msg=audit(1149761176.924:18354): avc:  denied  { mounton } for 
  pid=10977 comm="mount" name="dvd" dev=dm-5 ino=1032207 
scontext=root:system_r:mount_t:s0 
tcontext=system_u:object_r:public_content_rw_t:s0 tclass=dir
type=SYSCALL msg=audit(1149761176.924:18354): arch=40000003 syscall=21 
success=no exit=-13 a0=a002ab0 a1=a002ac0 a2=9ffefc0 a3=c0ed0001 items=1 
pid=10977 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="mount" exe="/bin/mount"
type=AVC_PATH msg=audit(1149761176.924:18354): 
path="/srv/softlib/fedora/stentz/dvd"
type=CWD msg=audit(1149761176.924:18354):  cwd="/"
type=PATH msg=audit(1149761176.924:18354): item=0 
name="/srv/softlib/fedora/stentz/dvd" flags=1  inode=1032207 dev=fd:05 
mode=040755 ouid=503 ogid=503 rdev=00:00

Paul.

More information about the fedora-selinux-list mailing list