SE Linux preventing mounting an iso on FC5 through nfs
Stephen Smalley
sds at tycho.nsa.gov
Thu Jan 11 20:07:16 UTC 2007
On Thu, 2007-01-11 at 14:34 -0500, Matthew Shapiro wrote:
> Hey all, A SE Linux newbie here. I am trying to learn SE Linux to fix
> this one issue we are having on our servers and I was hoping someone
> here might be able to give me some insight into the problem and tell me
> if I am following the correct line of thinking or not.
>
> We have FC5 systems with an automount point that mounts a directory on
> our main server for the cluster. Inside this mountpoint are some
> directories, which contain a list of rpms. Each of these rpms is really
> just a symlink to another automount point that automounts a certain
> Fedora Core iso image which really contains the real rpm. This makes it
> really easy to install the rpms without having to scour all four FC5 cds
> manually.
>
> The problem is that SE Linux doesn't seem to want us to mount the iso
> image automatically from nfs. When I directly use the mount command on
> the iso it mounts perfectly fine, but when I try to have the automounter
> mount it, it fails with the following error in /var/log/messages:
>
> avc: denied { read } for pid=1709 comm="mount"
> name="FC3-i386-disc1.iso" dev=0:17 no=1188825
> scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:object_r:nfs_t:s0 tclass=file
audit2allow -M local < /var/log/messages
semodule -i local.pp
> After reading various SE Linux HOWTO's and pieces of documentation
Did you look at the Fedora SELinux FAQ and wiki pages?
http://fedora.redhat.com/docs/selinux-faq-fc5/
http://fedoraproject.org/wiki/SELinux/
> what
> it looks like to me (a SE Linux newbie) is that the mount_t domain does
> not have access to read files under the nfs_t domain security context.
> So after various reading I thought all I would have to do is create a
> domain transition from the mount_t domain to the nfs_t domain. I
> created the file /etc/selinux/strict/src/policy/domains/misc/mmae.te and
Are you actually using strict policy? It isn't the default in Fedora.
> added the following line:
>
> domain_auto_trans(mount_t, mount_exec_t, nfs_t)
nfs_t is a file type, not a process domain, and you want to allow
mount_t to read nfs_t:file, not transition into it.
> Finally, I decided to take a stab in the dark and try a different
> approach without dealing with domains. The only information I could
> deduce from those previous error messages were that one of those was not
> an actual domain. After looking at various entries in the policy.conf I
> commented out the domain transition and instead put in:
>
> allow mount_t nfs_t:file { read };
That looks correct, and is what audit2allow would generate.
> thinking that this would allow processes in the mount_t security context
> to read files in the nfs_t context. I then ran make load, which didn't
> give any hassle, looked in the policy.conf to make sure it was listed in
> there (which it was), and tried again. It still gave the original
> error.
load_policy will always load the active policy, as defined
by /etc/selinux/config, which defaults to targeted. In which case it
never looked at your policy at all. Also, you want to use a loadable
policy module since FC5 (and later) supports them.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list