How to get unionfs work with SELinux on Fedora 5?
Stephen Smalley
sds at tycho.nsa.gov
Wed Sep 27 15:45:42 UTC 2006
On Wed, 2006-09-27 at 17:24 +0200, Andreas Sachs wrote:
> Hello
>
>
>
> I’m running Fedora Core 5 Server with unionfs file system to merge
> some directories and export them through nfs. SELinux is in enforcing
> mode and the targeted-policy is selected. Unionfs is build with
> extended attributes support (EXTRACFLAGS=-DUNIONFS_XATTR).
>
> When I try to mount the union from a client I get a permission denied
> error from server.
>
> The following is in my /var/log/messages on the server:
>
>
>
> Nov 1 10:32:43 localhost kernel: SELinux: initialized (dev unionfs,
> type unionfs), not configured for labeling
>
> Nov 1 10:32:43 localhost kernel: audit(1162373563.375:109): avc:
> denied { getattr } for pid=2021 comm="hald" name="/" dev=unionfs
> ino=744 scontext=system_u:system_r:hald_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
>
> Nov 1 10:50:57 localhost kernel: audit(1162374657.604:110): avc:
> denied { getattr } for pid=1810 comm="rpc.mountd" name="/"
> dev=unionfs ino=744 scontext=system_u:system_r:nfsd_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
>
> Nov 1 10:50:57 localhost mountd[1810]: authenticated mount request
> from 192.168.1.13:1011 for /test (/test)
>
> Nov 1 10:50:57 localhost kernel: audit(1162374657.632:111): avc:
> denied { getattr } for pid=1810 comm="rpc.mountd" name="/"
> dev=unionfs ino=744 scontext=system_u:system_r:nfsd_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
>
> Nov 1 10:50:57 localhost mountd[1810]: can't stat exported dir /test:
> Permission denied
>
>
>
> For the Red Hat Enterprise Linux there is a workaround:
>
> 1. Install strict/targetted selinux policy sources
> 2. Open /etc/selinux/<policy_type>/src/policy/fs_use
> 3. Append "fs_use_xattr unionfs system_u:object_r:fs_t;"
>
> 4. Compile, install, and reload the selinux policy
>
>
>
> How can I adopt the workaround to work on Fedora 5, because there are
> no policy sources available?
Policy sources are still available, but only in the .src.rpm file.
> How can I define "fs_use_xattr unionfs system_u:object_r:fs_t;" on
> Fedora Core 5?
You can build a modified policy that includes that statement, either
from the .src.rpm or from the upstream policy.
You could also use a context= mount to cause SELinux to treat the
unionfs mount as having a particular context rather than calling
getxattr on the underlying filesystem.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list