A couple of mount AVCs

Daniel J Walsh dwalsh at redhat.com
Wed Aug 23 15:55:44 UTC 2006 

Paul Howarth wrote:
> Jason L Tibbitts III wrote:
>> I'm experimenting with turning on Selinux for my FC5 desktops.  I took
>> a machine that was kickstated with "selinux --disabled", fully
>> updated, edited /etc/sysconfig/selinux to change "disabled" to
>> "enforcing", rebooted and waited for the relabel.
>>
>> Upon boot I get this twice:
>>
>> audit(1155677507.814:309): avc:  denied  { mounton } for  pid=1566 
>> comm="mount" name="mail" dev=dm-4 ino=393219 
>> scontext=system_u:system_r:mount_t:s0 
>> tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir
>>
>> /var/spool/mail is NFS supposed to be NFS mounted, but this AVC causes
>> that mount to fail.  (Yes, IMAP will be my savior, but some people
>> here still use /bin/mail.  Really.)  What's odd is that I can log in
>> as root and type "mount /var/spool/mail" and it mounts fine.
>
> Unmount /var/spool/mail
>
> Try:
> # service netfs start
>
> This should try and fail to do the mount, just as it does at boot time.
>
> Now try:
> # chcon -t mnt_t /var/spool/mail
> # service netfs start
>
> This time it should work.
>
>> We also have NFS-mounted user home directories via autofs; the map is
>> in LDAP and nscd is running.  Every attempt to access a user home
>> directory results in:
>>
>> audit(1155738357.735:345): avc:  denied  { write } for  pid=7344 
>> comm="mount" name="socket" dev=dm-4 ino=131097 
>> scontext=system_u:system_r:mount_t:s0 
>> tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file
>> audit(1155738357.735:346): avc:  denied  { write } for  pid=7344 
>> comm="mount" name="socket" dev=dm-4 ino=131097 
>> scontext=system_u:system_r:mount_t:s0 
>> tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file
>> SELinux: initialized (dev 0:18, type nfs), uses genfs_contexts
>>
>> and the mount actually succeeds.
>
> What's the output of:
> # getsebool use_nfs_home_dirs
>
> It's probably set or you'd be having lots of other failures. It may be 
> something that needs dontaudit-ing since it's actually working OK.
>
> Paul.
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
No it should be allowed, mount is trying to use nscd to look at user 
records.  Updated policy with this allow.

More information about the fedora-selinux-list mailing list