How to get unionfs work with SELinux on Fedora 5?

Stephen Smalley sds at tycho.nsa.gov
Wed Sep 27 15:45:42 UTC 2006 

On Wed, 2006-09-27 at 17:24 +0200, Andreas Sachs wrote:
> Hello
> 
>  
> 
> I’m running Fedora Core 5 Server with unionfs file system to merge
> some directories and export them through nfs. SELinux is in enforcing
> mode and the targeted-policy is selected. Unionfs is build with
> extended attributes support (EXTRACFLAGS=-DUNIONFS_XATTR).
> 
> When I try to mount the union from a client I get a permission denied
> error from server.
> 
> The following is in my /var/log/messages on the server:
> 
>  
> 
> Nov  1 10:32:43 localhost kernel: SELinux: initialized (dev unionfs,
> type unionfs), not configured for labeling
> 
> Nov  1 10:32:43 localhost kernel: audit(1162373563.375:109): avc:
> denied  { getattr } for  pid=2021 comm="hald" name="/" dev=unionfs
> ino=744 scontext=system_u:system_r:hald_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
> 
> Nov  1 10:50:57 localhost kernel: audit(1162374657.604:110): avc:
> denied  { getattr } for  pid=1810 comm="rpc.mountd" name="/"
> dev=unionfs ino=744 scontext=system_u:system_r:nfsd_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
> 
> Nov  1 10:50:57 localhost mountd[1810]: authenticated mount request
> from 192.168.1.13:1011 for /test (/test)
> 
> Nov  1 10:50:57 localhost kernel: audit(1162374657.632:111): avc:
> denied  { getattr } for  pid=1810 comm="rpc.mountd" name="/"
> dev=unionfs ino=744 scontext=system_u:system_r:nfsd_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
> 
> Nov  1 10:50:57 localhost mountd[1810]: can't stat exported dir /test:
> Permission denied
> 
>  
> 
> For the Red Hat Enterprise Linux there is a workaround: 
> 
>                1. Install strict/targetted selinux policy sources
>                2. Open /etc/selinux/<policy_type>/src/policy/fs_use
>                3. Append "fs_use_xattr unionfs system_u:object_r:fs_t;"
> 
>     4. Compile, install, and reload the selinux policy  
> 
>  
> 
> How can I adopt the workaround to work on Fedora 5, because there are
> no policy sources available?

Policy sources are still available, but only in the .src.rpm file.

> How can I define "fs_use_xattr unionfs system_u:object_r:fs_t;" on
> Fedora Core 5?

You can build a modified policy that includes that statement, either
from the .src.rpm or from the upstream policy.

You could also use a context= mount to cause SELinux to treat the
unionfs mount as having a particular context rather than calling
getxattr on the underlying filesystem.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list