SE Linux preventing mounting an iso on FC5 through nfs

Matthew Shapiro mshapiro at mail.ucf.edu
Thu Jan 11 19:34:57 UTC 2007 

Hey all, A SE Linux newbie here.  I am trying to learn SE Linux to fix
this one issue we are having on our servers and I was hoping someone
here might be able to give me some insight into the problem and tell me
if I am following the correct line of thinking or not.  

We have FC5 systems with an automount point that mounts a directory on
our main server for the cluster.  Inside this mountpoint are some
directories, which contain a list of rpms.  Each of these rpms is really
just a symlink to another automount point that automounts a certain
Fedora Core iso image which really contains the real rpm.  This makes it
really easy to install the rpms without having to scour all four FC5 cds
manually.  

The problem is that SE Linux doesn't seem to want us to mount the iso
image automatically from nfs.  When I directly use the mount command on
the iso it mounts perfectly fine, but when I try to have the automounter
mount it, it fails with the following error in /var/log/messages:

  avc:  denied  { read } for  pid=1709 comm="mount"
name="FC3-i386-disc1.iso" dev=0:17 no=1188825
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=file

After reading various SE Linux HOWTO's and pieces of documentation what
it looks like to me (a SE Linux newbie) is that the mount_t domain does
not have access to read files under the nfs_t domain security context. 
So after various reading I thought all I would have to do is create a
domain transition from the mount_t domain to the nfs_t domain.  I
created the file /etc/selinux/strict/src/policy/domains/misc/mmae.te and
added the following line:

 domain_auto_trans(mount_t, mount_exec_t, nfs_t)

Unfortunatly, when I did a make load I got the following two errors

 assertion on line 226661 violated by allow nfs_t mount_t:process {
sigchld };
 assertion on line 226508 violated by allow mount_t nfs_t:process {
transition };

Line 226661 of policy.conf contains 

 neverallow ~{ domain unlabeled_t } *:process *;

and line 226508 of policy.conf contains

 neverallow domain ~domain:process transition;

Unfortunatly, with my limited knowledge in SE Linux I am unsure of what
is wrong with my statement, why it violates those two rules, what those
two rules really mean and even if I am following the correct path.  I
also tried to switch mount_t and nfs_t in the domain_auto_trans function
which resulted in the same assertions.  

Finally, I decided to take a stab in the dark and try a different
approach without dealing with domains.  The only information I could
deduce from those previous error messages were that one of those was not
an actual domain.  After looking at various entries in the policy.conf I
commented out the domain transition and instead put in: 

 allow mount_t nfs_t:file { read };

thinking that this would allow processes in the mount_t security context
to read files in the nfs_t context.  I then ran make load, which didn't
give any hassle, looked in the policy.conf to make sure it was listed in
there (which it was), and tried again.  It still gave the original
error.

After reading various threads on mailing lists (found through google) I
decided to try giving the main directory a different security context so
it wasn't in the nfs_t domain.  So I edited the /etc/auto.misc entry for
the original mountpoint to include context=system_u:object_r:tmp_t,
which failed with the message:

 SELinux: security_context_to_sid(system_u:object_r/tmp_t) failed for
(dev 0:17, type nfs) errno=-22

which I am guessing means it doesn't have access to change security
contexts.

I am really stumped as to how to proceed from here.  If anyone could
give me any advice I would really appreciate it. 

Thanks
--Matthew Shapiro

More information about the fedora-selinux-list mailing list