Selinux disallows read-only loop mount of a file, but only at boot [SOLVED]
Eamon Walsh
ewalsh at tycho.nsa.gov
Tue May 5 22:58:21 UTC 2009
David wrote:
> I'm attempting to mount a loop device (a ro file) at boot using fstab.
> My fstab entry works fine from the command line, but it fails at boot
> time due to a selinux avc error. I assume this is due to incorrect
> file context. The file is under a nonstandard top level directory, so
> I need to specifically assign it the correct file context, which I
> would do if I could figure out what it ought to be.
>
mount_loopback_t.
The reason why
cat /etc/selinux/targeted/contexts/files/file_contexts | grep mount
did not give the answer is because there are no files installed by
default with that label.
> Where do I look on the system to discover what is the correct file
> context required by mount at boot time?
>
[Disclaimer: the commands below were run on a F10 box. Try them on your
box to verify.]
Method 1: use the sesearch command to find rules in the policy.
# yum install setools-console
# man sesearch
# sesearch -A -s mount_t -c file -p read | grep loop
allow mount_t mount_loopback_t : file { ioctl read getattr lock } ;
#
If you leave off the "grep loop" you get a much longer list of things
mount_t is allowed to read, but you can still find mount_loopback_t,
sorting the list helps.
Method 2: look at the refpolicy source.
# yum install yum-utils
# cd ~
# yumdownloader --source selinux-policy
# rpm -i selinux-policy-*.src.rpm
# cd rpmbuild/SOURCES
# tar ztf serefpolicy-3.5.13.tgz | grep mount
serefpolicy-3.5.13/policy/modules/services/automount.fc
serefpolicy-3.5.13/policy/modules/services/automount.te
serefpolicy-3.5.13/policy/modules/services/automount.if
serefpolicy-3.5.13/policy/modules/system/mount.fc
serefpolicy-3.5.13/policy/modules/system/mount.if
serefpolicy-3.5.13/policy/modules/system/mount.te
# tar zxf serefpolicy-3.5.13.tgz --wildcards --no-anchored '*/mount.te'
# grep loop serefpolicy-3.5.13/policy/modules/system/mount.te
type mount_loopback_t; # customizable
files_type(mount_loopback_t)
allow mount_t mount_loopback_t:file read_file_perms;
#
Again, if you didn't know to grep for "loop" you could read the whole
.te file. The three lines above all appear on the first page of the file.
Method 3: browse the refpolicy source online:
http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/system/mount.te
--
Eamon Walsh <ewalsh at tycho.nsa.gov>
National Security Agency
More information about the fedora-list
mailing list