Selinux disallows read-only loop mount of a file, but only at boot [SOLVED]

Paul jpb at entel.ca
Tue May 5 17:39:19 UTC 2009 

Here is your problem right here: SELinux

Have a good, slow read of this:
http://kerneltrap.org/OpenBSD/SELinux_vs_OpenBSDs_Default_Security

If you still want to use SELinux, well, there's not much I can do to help
you.

Cheers,

- Paul



-----Original Message-----
From: fedora-list-bounces at redhat.com [mailto:fedora-list-bounces at redhat.com]
On Behalf Of David
Sent: Tuesday, May 05, 2009 8:57 AM
To: Community assistance, encouragement,and advice for using Fedora.
Cc: dwalsh at redhat.com
Subject: Re: Selinux disallows read-only loop mount of a file, but only at
boot [SOLVED]

I'm attempting to mount a loop device (a ro file) at boot using fstab.
My fstab entry works fine from the command line, but it fails at boot time
due to a selinux avc error. I assume this is due to incorrect file context.
The file is under a nonstandard top level directory, so I need to
specifically assign it the correct file context, which I would do if I could
figure out what it ought to be.

Where do I look on the system to discover what is the correct file context
required by mount at boot time?

The file and context are:
$ ls -lZ /HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso
-r--r-----  root share unconfined_u:object_r:default_t:s0
/HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso

The fstab line is:
/HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso
/mnt/Fedora-09-i386-DVD	iso9660	loop,ro,gid=share
0 0

The command line that works is:
# mount /mnt/Fedora-09-i386-DVD

The boot-time error messages are:
Mounting local filesystems:
/HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso: Permission denied
[FAILED] Mounting other filesystems:
/HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso: Permission denied
[FAILED]

The dmesg error is:
type=1400 audit(1241535886.437:4): avc:  denied  { read } for
pid=1335 comm="mount" name="Fedora-09-i386-DVD.iso" dev=sdb2 ino=1922
scontext=system_u:system_r:mount_t:s0
tcontext=unconfined_u:object_r:default_t:s0 tclass=file

My selinux policy is:
# rpm -qa 'selinux-policy-targeted*'
selinux-policy-targeted-3.3.1-132.fc9.noarch

My selinux status is:
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 22
Policy from config file:        targeted

My os is:
# uname -r
2.6.25-14.fc9.i686

I have the following boolean unset because I wish to utilise selinux file
context to restrict which files can be mounted:
# getsebool allow_mount_anyfile
allow_mount_anyfile --> off

Interestingly, I did discover that the following command allows subsequent
boot-time mounts to succeed:
# chcon -t mount_exec_t
/HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso

But I am unsure whether this is the correct solution.

Where do I look on the system to discover what is the correct file context
required by mount at boot time?

--
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

More information about the fedora-list mailing list