problems with tmpfs and relabeling
Bill Nottingham
notting at redhat.com
Thu Apr 20 18:38:16 UTC 2006
Stephen Smalley (sds at tycho.nsa.gov) said:
> It may be necessary to add allow rules to enable the fscontext= mount to
> succeed, although I would have expected that to generate an avc denial
> if that were the issue (unless suppressed by a dontaudit, but that seems
> wrong). You would need to allow <processdomain>
> <originalfstype>:filesystem relabelfrom; allow <processdomain>
> <newfstype>:filesystem relabelto; Dan?
OK, once doing this, I get:
avc: denied { search } for pid=1688 comm="mount" name="/" dev=tmpfs ino=5444
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:fs_t:s0
tclass=dir
And, then, expectedly, after fixing that, restorecon can't getattr/read/etc
fs_t.
I seem to be stuck in a neverending cascade of AVCs. What's generally
wrong here?
The usage model is this:
1) mount a tmpfs under /var somewhere
2) take a predefined list of dirs and files, and for each one:
a) copy it to that tmpfs
b) bind mount it over its original location
c) restrorecon @ the original location, to get the contexts right
This shouldn't be *that* hard to get working with policy, should it?
Bill
More information about the fedora-selinux-list
mailing list