SELinux concerning /home symlink?

Daniel J Walsh dwalsh at redhat.com
Wed Jul 30 14:51:12 UTC 2008


Paul Howarth wrote:
> Eric Paris wrote:
>> On Wed, 2008-07-30 at 12:18 +0100, Paul Howarth wrote:
>>
>>> The underlying problem is that "mount", when run confined by SELinux,
>>> is only allowed to mount filesystems on mount points that have
>>> specific context types, such as mnt_t. If you set up your
>>> partitioning at install time, the installer generally sets the
>>> context types of the directories to be used as mount points
>>> correctly. However, if you change your filesystem arrangement at a
>>> later date then the mount point directory you're using will probably
>>> have some other context type, such as mail_spool_t in this case,
>>> which mount isn't normally allowed to use as a mount point, and you
>>> get the AVC denials and failure to mount as a result. The fix is
>>> simply to label the mount point directory appropriately for a mount
>>> point.
>>
>> setsebool -P allow_mount_anyfile 1
>>
>> should let him mount without any labeling changes right?  You should be
>> able to find this boolean in system-config-selinux and setroubleshoot
>> should have suggested toggling this boolean.
> 
> Yes, that should work too but would be more permissive than fixing the
> mountpoint context.
> 
> Paul.
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I have decided to make these directories a mountpoint

files_mountpoint(mail_spool_t)


You could have generated a policy module with this and mount would have
been allowed also.

policy_module(myspool, 1.0.0)

gen_requires(`
	type mail_spool_t;
')

files_mountpoint(mail_spool_t)

The beauty of SELinux, three ways to solve the same problem.  :^)




More information about the fedora-selinux-list mailing list