Can an ISO be specified allow mount "setsebool -P allow_mount_iso=1" insted of "setsebool -P allow_mount_anyfile=1" SE context samba share
Paul Howarth
paul at city-fan.org
Sun Jul 13 19:57:27 UTC 2008
On Sun, 13 Jul 2008 11:41:34 +0100
Frank Murphy <frankly3d at gmail.com> wrote:
> Summary:
>
> SELinux prevented mount from mounting on the file or directory
> "./Fedora-9-Everything-i386-DVD1.iso" (type "samba_share_t").
>
> Detailed Description:
>
> SELinux prevented mount from mounting a filesystem on the file or
> directory
> "./Fedora-9-Everything-i386-DVD1.iso" of type "samba_share_t". By
> default
> SELinux limits the mounting of filesystems to only some files or
> directories
> (those with types that have the mountpoint attribute). The type
> "samba_share_t"
> does not have this attribute. You can either relabel the file or
> directory or
> set the boolean "allow_mount_anyfile" to true to allow mounting on any
> file or
> directory.
>
> Allowing Access:
>
> Changing the "allow_mount_anyfile" boolean to true will allow this
> access:
> "setsebool -P allow_mount_anyfile=1."
>
> The following command will allow this access:
>
> setsebool -P allow_mount_anyfile=1
>
> Additional Information:
>
> Source Context system_u:system_r:mount_t
> Target Context user_u:object_r:samba_share_t
> Target Objects ./Fedora-9-Everything-i386-DVD1.iso
> [ file ]
> Source mount
> Source Path /bin/mount
> Port <Unknown>
> Host server-01
> Source RPM Packages util-linux-2.13-0.47.el5
> Target RPM Packages
> Policy RPM selinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name allow_mount_anyfile
> Host Name server-01
> Platform Linux server-01 2.6.18-92.1.6.el5 #1 SMP
> Wed Jun
> 25 13:49:24 EDT 2008 i686 athlon
> Alert Count 3
> First Seen Sun 13 Jul 2008 10:26:26 IST
> Last Seen Sun 13 Jul 2008 11:07:49 IST
> Local ID 268bdb54-5d8d-4c81-b7ba-0392b5cea34e
> Line Numbers
>
> Raw Audit Messages
>
> host=server-01 type=AVC msg=audit(1215943669.186:14): avc: denied
> { write } for pid=2898 comm="mount"
> name="Fedora-9-Everything-i386-DVD1.iso" dev=md2 ino=8585227
> scontext=system_u:system_r:mount_t:s0
> tcontext=user_u:object_r:samba_share_t:s0 tclass=file
>
> host=server-01 type=SYSCALL msg=audit(1215943669.186:14):
> arch=40000003 syscall=5 success=no exit=-13 a0=9fd5450 a1=8002 a2=0
> a3=8002 items=0 ppid=2877 pid=2898 auid=4294967295 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0
> key=(null)
This is normal; you need to set the context type of the mountpoint
directory to mnt_t. You may also want to set the context for the
mounted ISO image too if you want to share it out using samba, http,
etc. See http://www.city-fan.org/tips/SubsetRepositoriesFedora9
Paul.
More information about the fedora-selinux-list
mailing list