SELinux concerning /home symlink?
max
maximilianbianco at gmail.com
Wed Jul 30 15:40:50 UTC 2008
Paul Howarth wrote:
>
> Sure.
>
> The underlying problem is that "mount", when run confined by SELinux, is
> only allowed to mount filesystems on mount points that have specific
> context types, such as mnt_t. If you set up your partitioning at install
> time, the installer generally sets the context types of the directories
> to be used as mount points correctly. However, if you change your
> filesystem arrangement at a later date then the mount point directory
> you're using will probably have some other context type, such as
> mail_spool_t in this case, which mount isn't normally allowed to use as
> a mount point, and you get the AVC denials and failure to mount as a
> result. The fix is simply to label the mount point directory
> appropriately for a mount point.
>
> The other issue is why the original setup fails at boot time when it
> works just fine manually. The reason for this is that if you run "mount"
> manually, it runs unconfined (as do most programs, e.g. httpd) but if
> you run it from an initscript (as happens at boot time), the mount
> process transitions to the correct confined domain. So you get the
> denials at boot time but not when running "mount" manually. For this
> reason, I always now use "service netfs start" rather than "mount -a"
> after making changes to my filesystem layouts to check for SELinux issues.
>
> Hope that clears it up.
>
> Cheers, Paul.
Yes. Thanks. I did have another question but the replies below have
given me sufficient food for thought...for now :^)
Thanks again,
Max
More information about the fedora-selinux-list
mailing list