Selinux disallows read-only loop mount of a file, but only at boot [SOLVED]

Daniel J Walsh dwalsh at redhat.com
Wed May 6 12:00:17 UTC 2009


On 05/05/2009 08:17 PM, David wrote:
> On Wed, May 6, 2009 at 8:58 AM, Eamon Walsh<ewalsh at tycho.nsa.gov>  wrote:
>> David wrote:
>>> I'm attempting to mount a loop device (a ro file) at boot using fstab.
>>> My fstab entry works fine from the command line, but it fails at boot
>>> time due to a selinux avc error. I assume this is due to incorrect
>>> file context. The file is under a nonstandard top level directory, so
>>> I need to specifically assign it the correct file context, which I
>>> would do if I could figure out what it ought to be.
>> mount_loopback_t.
>
> Yes this works. Thank you to everyone who replied. Thanks Eamon for
> nurturing my understanding of selinux, which is what I hoped for when
> posting. I will explore your suggestions.
>
> Actually I did notice "mount_loopback_t" early in my exploration. But
> I naively ignored it due to my expectation that "loopback" refers to a
> network interface, not a "loop" device as used by mount.
>
> I did not realise how widespread it is to confuse these terms. The
> word loopback does not appear in 'man 8 mount'. It really surprises me
> that the selinux specification is not more precise on this usage.
>
> Surely "mount_loopback_t" is a mistake, it should be named "mount_loop_t".
>
> Some people are never happy!! ;-)
>

I will change the label to mount_loop_t in rawhide/F11 policy.  And 
alias mount_loopback_t to it.




More information about the fedora-list mailing list