ReiserFS chicken and egg
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 30 20:32:17 UTC 2006
Stephen Smalley wrote:
> On Wed, 2006-03-29 at 13:34 -0600, Ian Pilcher wrote:
>
>> Sorry about the delay...jury duty.
>>
>> Just tried again to be sure:
>>
>> mkfs.reiserfs /dev/md9
>>
>> /etc/fstab contains:
>>
>> /dev/md9 /mnt/tmp reiserfs context=system_u:object_r:file_t:s0 0 2
>>
>> Rebooted and the mount failed. dmesg | grep md9 shows:
>>
>> audit(1143660461.416:15): avc: denied { search } for pid=1714
>> comm="mount" name="/" dev=md9 ino=2
>> scontext=system_u:system_r:mount_t:s0
>> tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
>> ReiserFS: md9: warning: xattrs/ACLs enabled and couldn't find/create
>> .reiserfs_priv. Failing mount.
>>
>> It doesn't look like the context option had any affect at all.
>>
>
> I think we are encountering the denial before we reach the processing of
> the context option. The setup of the superblock security data and the
> root directory security data happens upon security_sb_kern_mount, but
> this is called after the filesystem returns from its get_sb method.
> Unfortunately, reiserfs apparently tries to access the xattr directory
> during get_sb, so there is an attempted lookup before SELinux has
> initialized the security state on the root directory, and we get a
> denial on unlabeled_t. I guess you need to allow mount_t
> unlabeled_t:dir search; to workaround it.
>
>
Should we allow this in policy?
More information about the fedora-selinux-list
mailing list