ReiserFS chicken and egg
Stephen Smalley
sds at tycho.nsa.gov
Thu Mar 30 13:41:55 UTC 2006
On Wed, 2006-03-29 at 13:34 -0600, Ian Pilcher wrote:
> Sorry about the delay...jury duty.
>
> Just tried again to be sure:
>
> mkfs.reiserfs /dev/md9
>
> /etc/fstab contains:
>
> /dev/md9 /mnt/tmp reiserfs context=system_u:object_r:file_t:s0 0 2
>
> Rebooted and the mount failed. dmesg | grep md9 shows:
>
> audit(1143660461.416:15): avc: denied { search } for pid=1714
> comm="mount" name="/" dev=md9 ino=2
> scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
> ReiserFS: md9: warning: xattrs/ACLs enabled and couldn't find/create
> .reiserfs_priv. Failing mount.
>
> It doesn't look like the context option had any affect at all.
I think we are encountering the denial before we reach the processing of
the context option. The setup of the superblock security data and the
root directory security data happens upon security_sb_kern_mount, but
this is called after the filesystem returns from its get_sb method.
Unfortunately, reiserfs apparently tries to access the xattr directory
during get_sb, so there is an attempted lookup before SELinux has
initialized the security state on the root directory, and we get a
denial on unlabeled_t. I guess you need to allow mount_t
unlabeled_t:dir search; to workaround it.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list