SELinux denying chcon -- OUCH!

[Ian Pilcher]

A little background -- I have my music collection stored on 5 reiserfs
filesystems, on top of five separate software RAID devices (md4-md8).  I
use httpd to make them available on my *home* network (and if the RIAA
has a problem with that they can kiss my lilly-white...sorry).  I
generally mount them as /var/www/html/music/music{0,1,2,3,4}.

Today I rebooted my system (Fedora Core 5, fully updated) and got some
bizarre warnings about being unable to mount a block device read-only.
Sure enough...

audit(1143570731.388:11): avc:  denied  { mounton } for  pid=1703
comm="mount" name="music0" dev=md1 ino=131232
scontext=system_u:system_r:mount_t:s0
tcontext=root:object_r:httpd_sys_content_t:s0 tclass=dir

Hmm, looks like a special context is now needed for mount points.  I can
see why that might be a good idea, so...

chcon system_u:system_r:mount_t /var/www/html/music/*

chcon: failed to change context of /var/www/html/music/music0 to
system_u:system_r:mount_t: Permission denied

type=AVC msg=audit(1143571740.714:59): avc:  denied  { relabelto } for
pid=3036 comm="chcon" name="music0" dev=md1 ino=131232
scontext=user_u:system_r:unconfined_t:s0-s0:c0.c255
tcontext=system_u:system_r:mount_t:s0 tclass=dir

This is either a learning opportunity for me, or a serious problem.  I
can't wait to find out which.

Thanks!

-- 
========================================================================
Ian Pilcher                                        i.pilcher at comcast.net
========================================================================