SELinux denying chcon -- OUCH!
Ian Pilcher
i.pilcher at comcast.net
Tue Mar 28 21:14:49 UTC 2006
Stephen Smalley wrote:
>
> mount_t is a domain - a type for a process running the mount program.
> Not a file type to assign to mount point directories. Not sure what
> type to recommend for what you describe - Dan? Likely need a generic
> mnt_t or similar with the mountpoint attribute?
>
I have changed the type of the mount points to mnt_t. It doesn't look
like this will cause a problem for httpd, because once the filesystem is
mounted, the type of its root directory appears to "mask" the type of
the mount point.
I should have mentioned before that I have no problem mounting these
filesystems as a logged in root user (mount -a); the problem only occurs
when booting the system.
After changing the type of the mount points and rebooting, I am now
getting this:
audit(1143579721.063:15): avc: denied { search } for pid=1709
comm="mount" name="/" dev=md8 ino=2
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
It looks like the mount command is looking for something in the root
directory of the filesystem, but I have no idea what that might be.
Thanks!
--
========================================================================
Ian Pilcher i.pilcher at comcast.net
========================================================================
More information about the fedora-selinux-list
mailing list