Can an ISO be specified allow mount "setsebool -P allow_mount_iso=1" insted of "setsebool -P allow_mount_anyfile=1" SE context samba share

Paul Howarth paul at city-fan.org
Sun Jul 13 19:57:27 UTC 2008 

On Sun, 13 Jul 2008 11:41:34 +0100
Frank Murphy <frankly3d at gmail.com> wrote:

> Summary:
> 
> SELinux prevented mount from mounting on the file or directory
> "./Fedora-9-Everything-i386-DVD1.iso" (type "samba_share_t").
> 
> Detailed Description:
> 
> SELinux prevented mount from mounting a filesystem on the file or
> directory
> "./Fedora-9-Everything-i386-DVD1.iso" of type "samba_share_t". By
> default
> SELinux limits the mounting of filesystems to only some files or
> directories
> (those with types that have the mountpoint attribute). The type
> "samba_share_t"
> does not have this attribute. You can either relabel the file or
> directory or
> set the boolean "allow_mount_anyfile" to true to allow mounting on any
> file or
> directory.
> 
> Allowing Access:
> 
> Changing the "allow_mount_anyfile" boolean to true will allow this
> access:
> "setsebool -P allow_mount_anyfile=1."
> 
> The following command will allow this access:
> 
> setsebool -P allow_mount_anyfile=1
> 
> Additional Information:
> 
> Source Context                system_u:system_r:mount_t
> Target Context                user_u:object_r:samba_share_t
> Target Objects                ./Fedora-9-Everything-i386-DVD1.iso
> [ file ]
> Source                        mount
> Source Path                   /bin/mount
> Port                          <Unknown>
> Host                          server-01
> Source RPM Packages           util-linux-2.13-0.47.el5
> Target RPM Packages           
> Policy RPM                    selinux-policy-2.4.6-137.1.el5
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   allow_mount_anyfile
> Host Name                     server-01
> Platform                      Linux server-01 2.6.18-92.1.6.el5 #1 SMP
> Wed Jun
>                               25 13:49:24 EDT 2008 i686 athlon
> Alert Count                   3
> First Seen                    Sun 13 Jul 2008 10:26:26 IST
> Last Seen                     Sun 13 Jul 2008 11:07:49 IST
> Local ID                      268bdb54-5d8d-4c81-b7ba-0392b5cea34e
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=server-01 type=AVC msg=audit(1215943669.186:14): avc:  denied
> { write } for  pid=2898 comm="mount"
> name="Fedora-9-Everything-i386-DVD1.iso" dev=md2 ino=8585227
> scontext=system_u:system_r:mount_t:s0
> tcontext=user_u:object_r:samba_share_t:s0 tclass=file
> 
> host=server-01 type=SYSCALL msg=audit(1215943669.186:14):
> arch=40000003 syscall=5 success=no exit=-13 a0=9fd5450 a1=8002 a2=0
> a3=8002 items=0 ppid=2877 pid=2898 auid=4294967295 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0
> key=(null)

This is normal; you need to set the context type of the mountpoint
directory to mnt_t. You may also want to set the context for the
mounted ISO image too if you want to share it out using samba, http,
etc. See http://www.city-fan.org/tips/SubsetRepositoriesFedora9

Paul.

More information about the fedora-selinux-list mailing list