Selinux disallows read-only loop mount of a file, but only at boot [SOLVED]
David
bouncingcats at gmail.com
Tue May 5 15:56:42 UTC 2009
I'm attempting to mount a loop device (a ro file) at boot using fstab.
My fstab entry works fine from the command line, but it fails at boot
time due to a selinux avc error. I assume this is due to incorrect
file context. The file is under a nonstandard top level directory, so
I need to specifically assign it the correct file context, which I
would do if I could figure out what it ought to be.
Where do I look on the system to discover what is the correct file
context required by mount at boot time?
The file and context are:
$ ls -lZ /HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso
-r--r----- root share unconfined_u:object_r:default_t:s0
/HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso
The fstab line is:
/HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso /mnt/Fedora-09-i386-DVD iso9660 loop,ro,gid=share
0 0
The command line that works is:
# mount /mnt/Fedora-09-i386-DVD
The boot-time error messages are:
Mounting local filesystems:
/HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso: Permission
denied [FAILED]
Mounting other filesystems:
/HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso: Permission
denied [FAILED]
The dmesg error is:
type=1400 audit(1241535886.437:4): avc: denied { read } for
pid=1335 comm="mount" name="Fedora-09-i386-DVD.iso" dev=sdb2 ino=1922
scontext=system_u:system_r:mount_t:s0
tcontext=unconfined_u:object_r:default_t:s0 tclass=file
My selinux policy is:
# rpm -qa 'selinux-policy-targeted*'
selinux-policy-targeted-3.3.1-132.fc9.noarch
My selinux status is:
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 22
Policy from config file: targeted
My os is:
# uname -r
2.6.25-14.fc9.i686
I have the following boolean unset because I wish to utilise selinux
file context to restrict which files can be mounted:
# getsebool allow_mount_anyfile
allow_mount_anyfile --> off
Interestingly, I did discover that the following command allows
subsequent boot-time mounts to succeed:
# chcon -t mount_exec_t /HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso
But I am unsure whether this is the correct solution.
Where do I look on the system to discover what is the correct file
context required by mount at boot time?
More information about the fedora-list
mailing list