[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Selinux disallows read-only loop mount of a file, but only at boot [SOLVED]

David wrote:
> I'm attempting to mount a loop device (a ro file) at boot using fstab.
> My fstab entry works fine from the command line, but it fails at boot
> time due to a selinux avc error. I assume this is due to incorrect
> file context. The file is under a nonstandard top level directory, so
> I need to specifically assign it the correct file context, which I
> would do if I could figure out what it ought to be.


The reason why

cat /etc/selinux/targeted/contexts/files/file_contexts | grep mount

did not give the answer is because there are no files installed by
default with that label.

> Where do I look on the system to discover what is the correct file
> context required by mount at boot time?

[Disclaimer: the commands below were run on a F10 box.  Try them on your
box to verify.]

Method 1:  use the sesearch command to find rules in the policy.

# yum install setools-console
# man sesearch
# sesearch -A -s mount_t -c file -p read  |  grep loop
allow mount_t mount_loopback_t : file { ioctl read getattr lock } ;

If you leave off the "grep loop" you get a much longer list of things
mount_t is allowed to read, but you can still find mount_loopback_t, 
sorting the list helps.

Method 2:  look at the refpolicy source.

# yum install yum-utils
# cd ~
# yumdownloader --source selinux-policy
# rpm -i selinux-policy-*.src.rpm
# cd rpmbuild/SOURCES
# tar ztf serefpolicy-3.5.13.tgz | grep mount
# tar zxf serefpolicy-3.5.13.tgz  --wildcards --no-anchored '*/mount.te'
# grep loop serefpolicy-3.5.13/policy/modules/system/mount.te
type mount_loopback_t; # customizable
allow mount_t mount_loopback_t:file read_file_perms;

Again, if you didn't know to grep for "loop" you could read the whole
.te file.  The three lines above all appear on the first page of the file.

Method 3: browse the refpolicy source online:


Eamon Walsh <ewalsh tycho nsa gov>
National Security Agency

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]