SE Linux preventing mounting an iso on FC5 through nfs
Stephen Smalley
sds at tycho.nsa.gov
Thu Jan 11 21:26:55 UTC 2007
On Thu, 2007-01-11 at 16:04 -0500, Matthew Shapiro wrote:
> >>> Stephen Smalley <sds at tycho.nsa.gov> 01/11/07 3:07 PM >>>
> >audit2allow -M local < /var/log/messages
> >semodule -i local.pp
>
> Wow that makes life simple. Thanks a lot!
>
> >Did you look at the Fedora SELinux FAQ and wiki pages?
> >http://fedora.redhat.com/docs/selinux-faq-fc5/
> >http://fedoraproject.org/wiki/SELinux/
>
> Actually I did not know about these (the HOWTO's I found was a policy
> HOWTO and a general (focused on debian) SELinux introduction). This
> look like great resources though.
>
> > Are you actually using strict policy? It isn't the default in Fedora.
>
> Ah that explains it. I actually got confused with the versions
> (installed the strict src from fc3 by accident, targeted wouldn't
> install) and that explains why my last attempt didn't work. I
> confirmed and it is setup to use targeted. Though the loadable modules
> that I now know about make doing this much easier anyways.
>
> >nfs_t is a file type, not a process domain, and you want to allow
> >mount_t to read nfs_t:file, not transition into it.
>
> Gotcha. From the documentation I read it made it seem like the _t
> denoted a domain. Guess I have some more reading to do to fully
> understand everything that is going on.
A domain is just a kind of type, specifically a process type. SELinux
collapses the two concepts together.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list