SE Linux preventing mounting an iso on FC5 through nfs

Thu Jan 11 20:07:16 UTC 2007

On Thu, 2007-01-11 at 14:34 -0500, Matthew Shapiro wrote:
> Hey all, A SE Linux newbie here.  I am trying to learn SE Linux to fix
> this one issue we are having on our servers and I was hoping someone
> here might be able to give me some insight into the problem and tell me
> if I am following the correct line of thinking or not.  
> 
> We have FC5 systems with an automount point that mounts a directory on
> our main server for the cluster.  Inside this mountpoint are some
> directories, which contain a list of rpms.  Each of these rpms is really
> just a symlink to another automount point that automounts a certain
> Fedora Core iso image which really contains the real rpm.  This makes it
> really easy to install the rpms without having to scour all four FC5 cds
> manually.  
> 
> The problem is that SE Linux doesn't seem to want us to mount the iso
> image automatically from nfs.  When I directly use the mount command on
> the iso it mounts perfectly fine, but when I try to have the automounter
> mount it, it fails with the following error in /var/log/messages:
> 
>   avc:  denied  { read } for  pid=1709 comm="mount"
> name="FC3-i386-disc1.iso" dev=0:17 no=1188825
> scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:object_r:nfs_t:s0 tclass=file

audit2allow -M local < /var/log/messages
semodule -i local.pp

> After reading various SE Linux HOWTO's and pieces of documentation

Did you look at the Fedora SELinux FAQ and wiki pages?
http://fedora.redhat.com/docs/selinux-faq-fc5/
http://fedoraproject.org/wiki/SELinux/

>  what
> it looks like to me (a SE Linux newbie) is that the mount_t domain does
> not have access to read files under the nfs_t domain security context. 
> So after various reading I thought all I would have to do is create a
> domain transition from the mount_t domain to the nfs_t domain.  I
> created the file /etc/selinux/strict/src/policy/domains/misc/mmae.te and

Are you actually using strict policy?  It isn't the default in Fedora.

> added the following line:
> 
>  domain_auto_trans(mount_t, mount_exec_t, nfs_t)

nfs_t is a file type, not a process domain, and you want to allow
mount_t to read nfs_t:file, not transition into it.

> Finally, I decided to take a stab in the dark and try a different
> approach without dealing with domains.  The only information I could
> deduce from those previous error messages were that one of those was not
> an actual domain.  After looking at various entries in the policy.conf I
> commented out the domain transition and instead put in: 
> 
>  allow mount_t nfs_t:file { read };

That looks correct, and is what audit2allow would generate.

> thinking that this would allow processes in the mount_t security context
> to read files in the nfs_t context.  I then ran make load, which didn't
> give any hassle, looked in the policy.conf to make sure it was listed in
> there (which it was), and tried again.  It still gave the original
> error.

load_policy will always load the active policy, as defined
by /etc/selinux/config, which defaults to targeted.  In which case it
never looked at your policy at all.  Also, you want to use a loadable
policy module since FC5 (and later) supports them.

-- 
Stephen Smalley
National Security Agency