SELinux enforcing disallows opening floppy drive in Nautilus
Stephen Smalley
sds at tycho.nsa.gov
Thu Apr 13 18:00:52 UTC 2006
On Thu, 2006-04-13 at 18:35 +0100, Ron Yorston wrote:
> Stephen Smalley <sds at tycho.nsa.gov> wrote:
> >Seems like a policy bug (omission of a transition from unconfined_t to
> >mount_t) to me. Otherwise, /etc/mtab is going to lose its type every
> >time you run mount/umount from the shell. Dan?
>
> Just a clarification (or confusion): it's only umount that causes the
> problem. mount doesn't create a new /etc/mtab file and doesn't change
> the context:
>
> # ls -Z /etc/mtab
> -rw-r--r-- root root system_u:object_r:etc_runtime_t /etc/mtab
> # ls -i /etc/mtab
> 33032 /etc/mtab
> # mount /opt
> # ls -Z /etc/mtab
> -rw-r--r-- root root system_u:object_r:etc_runtime_t /etc/mtab
> # ls -i /etc/mtab
> 33032 /etc/mtab
> #
Ah, ok. strace of mount and umount suggests that mount just
writes/appends to the existing file in place while umount creates a new
file without the entry and then replaces the original file via rename.
Which would explain why mount doesn't disturb the type but umount does.
Regardless, I think it makes sense to have unconfined_t transition to
mount_t.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list