How to get unionfs work with SELinux on Fedora 5?

Andreas Sachs soxos at gmx.de
Wed Sep 27 15:24:19 UTC 2006 

Hello

 

I'm running Fedora Core 5 Server with unionfs file system to merge some
directories and export them through nfs. SELinux is in enforcing mode and
the targeted-policy is selected. Unionfs is build with extended attributes
support (EXTRACFLAGS=-DUNIONFS_XATTR).

When I try to mount the union from a client I get a permission denied error
from server.

The following is in my /var/log/messages on the server:

 

Nov  1 10:32:43 localhost kernel: SELinux: initialized (dev unionfs, type
unionfs), not configured for labeling

Nov  1 10:32:43 localhost kernel: audit(1162373563.375:109): avc:  denied  {
getattr } for  pid=2021 comm="hald" name="/" dev=unionfs ino=744
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir

Nov  1 10:50:57 localhost kernel: audit(1162374657.604:110): avc:  denied  {
getattr } for  pid=1810 comm="rpc.mountd" name="/" dev=unionfs ino=744
scontext=system_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir

Nov  1 10:50:57 localhost mountd[1810]: authenticated mount request from
192.168.1.13:1011 for /test (/test)

Nov  1 10:50:57 localhost kernel: audit(1162374657.632:111): avc:  denied  {
getattr } for  pid=1810 comm="rpc.mountd" name="/" dev=unionfs ino=744
scontext=system_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir

Nov  1 10:50:57 localhost mountd[1810]: can't stat exported dir /test:
Permission denied

 

For the Red Hat Enterprise Linux there is a workaround: 

               1. Install strict/targetted selinux policy sources
               2. Open /etc/selinux/<policy_type>/src/policy/fs_use
               3. Append "fs_use_xattr unionfs system_u:object_r:fs_t;"

    4. Compile, install, and reload the selinux policy  

 

How can I adopt the workaround to work on Fedora 5, because there are no
policy sources available?

How can I define "fs_use_xattr unionfs system_u:object_r:fs_t;" on Fedora
Core 5?

 

Thanks!

 

Andreas Sachs

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060927/5529b786/attachment.htm>

More information about the fedora-selinux-list mailing list