[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux concerning /home symlink?



max bianco wrote:
On Fri, Jul 25, 2008 at 8:18 PM, Paul Howarth <paul city-fan org> wrote:
On Fri, 25 Jul 2008 21:54:51 +0000 (UTC)
Mike  <mike cloaked gmail com> wrote:

Mike <mike.cloaked <at> gmail.com> writes:

Thanks everyone - I will try bind mounting this evening....
I got the /home pointing to /opt/Local/home just fine - but ...now
doing mail:

Having just been pretty pleased with myself for getting my system
running I now find a problem.... This question was also posted to
Fedora list.

First I have my home directory bind mounted from /home
to /opt/Local/home with no problems, and I bind mount using an fstab
entry like /opt/Local/home   /home   ext3 bind 0 0

The context for /home is system_u:object_r:home_root_t:s0
and for /opt/Local/home it is the same.

The mount works fine during boot - so I tried the same with my mail.

I have an fstab entry
/opt/Local/spool/mail /var/spool/mail   ext3 bind  0 0

The context for /var/spool/mail is system_u:object_r:mail_spool_t:s0
and for /opt/Local/spool/mail it is also the same.

I can manually do
mount /var/spool/mail  and the bind mount works fine.

However on boot I get an avc denial, with kernel: type=1400 and
and avc: denied {mounton} .... comm="mount" path="/var/spool/mail"
dev=sda5 ino=419655 scontext=system_u:system_r:mount_t:so
tcontext=system_u:object_r:mail_spool_t:so class=dir

I am not sure what to change to make this work?
First temporarily unmount the bind mount:
# umount /var/spool/mail

Then change the context of the original /var/spool/mail to make it
suitable for use as a mount point:
# chcon -t mnt_t /var/spool/mail

Mount at boot should now work. You can simulate this without actually
rebooting by doing:
# service netfs start

Cheers, Paul.

Could I trouble you to be slightly more verbose so novices like myself
can get a better handle on the solution, because otherwise every
situation even remotely like this is going to get this solution
applied and this may not always be appropriate or suitable.

Sure.

The underlying problem is that "mount", when run confined by SELinux, is only allowed to mount filesystems on mount points that have specific context types, such as mnt_t. If you set up your partitioning at install time, the installer generally sets the context types of the directories to be used as mount points correctly. However, if you change your filesystem arrangement at a later date then the mount point directory you're using will probably have some other context type, such as mail_spool_t in this case, which mount isn't normally allowed to use as a mount point, and you get the AVC denials and failure to mount as a result. The fix is simply to label the mount point directory appropriately for a mount point.

The other issue is why the original setup fails at boot time when it works just fine manually. The reason for this is that if you run "mount" manually, it runs unconfined (as do most programs, e.g. httpd) but if you run it from an initscript (as happens at boot time), the mount process transitions to the correct confined domain. So you get the denials at boot time but not when running "mount" manually. For this reason, I always now use "service netfs start" rather than "mount -a" after making changes to my filesystem layouts to check for SELinux issues.

Hope that clears it up.

Cheers, Paul.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]