SELinux concerning /home symlink?

Paul Howarth paul at city-fan.org
Wed Jul 30 11:18:00 UTC 2008 

max bianco wrote:
> On Fri, Jul 25, 2008 at 8:18 PM, Paul Howarth <paul at city-fan.org> wrote:
>> On Fri, 25 Jul 2008 21:54:51 +0000 (UTC)
>> Mike  <mike.cloaked at gmail.com> wrote:
>>
>>> Mike <mike.cloaked <at> gmail.com> writes:
>>>
>>>> Thanks everyone - I will try bind mounting this evening....
>>> I got the /home pointing to /opt/Local/home just fine - but ...now
>>> doing mail:
>>>
>>> Having just been pretty pleased with myself for getting my system
>>> running I now find a problem.... This question was also posted to
>>> Fedora list.
>>>
>>> First I have my home directory bind mounted from /home
>>> to /opt/Local/home with no problems, and I bind mount using an fstab
>>> entry like /opt/Local/home   /home   ext3 bind 0 0
>>>
>>> The context for /home is system_u:object_r:home_root_t:s0
>>> and for /opt/Local/home it is the same.
>>>
>>> The mount works fine during boot - so I tried the same with my mail.
>>>
>>> I have an fstab entry
>>> /opt/Local/spool/mail /var/spool/mail   ext3 bind  0 0
>>>
>>> The context for /var/spool/mail is system_u:object_r:mail_spool_t:s0
>>> and for /opt/Local/spool/mail it is also the same.
>>>
>>> I can manually do
>>> mount /var/spool/mail  and the bind mount works fine.
>>>
>>> However on boot I get an avc denial, with kernel: type=1400 and
>>> and avc: denied {mounton} .... comm="mount" path="/var/spool/mail"
>>> dev=sda5 ino=419655 scontext=system_u:system_r:mount_t:so
>>> tcontext=system_u:object_r:mail_spool_t:so class=dir
>>>
>>> I am not sure what to change to make this work?
>> First temporarily unmount the bind mount:
>> # umount /var/spool/mail
>>
>> Then change the context of the original /var/spool/mail to make it
>> suitable for use as a mount point:
>> # chcon -t mnt_t /var/spool/mail
>>
>> Mount at boot should now work. You can simulate this without actually
>> rebooting by doing:
>> # service netfs start
>>
>> Cheers, Paul.
>>
> Could I trouble you to be slightly more verbose so novices like myself
> can get a better handle on the solution, because otherwise every
> situation even remotely like this is going to get this solution
> applied and this may not always be appropriate or suitable.

Sure.

The underlying problem is that "mount", when run confined by SELinux, is 
only allowed to mount filesystems on mount points that have specific 
context types, such as mnt_t. If you set up your partitioning at install 
time, the installer generally sets the context types of the directories 
to be used as mount points correctly. However, if you change your 
filesystem arrangement at a later date then the mount point directory 
you're using will probably have some other context type, such as 
mail_spool_t in this case, which mount isn't normally allowed to use as 
a mount point, and you get the AVC denials and failure to mount as a 
result. The fix is simply to label the mount point directory 
appropriately for a mount point.

The other issue is why the original setup fails at boot time when it 
works just fine manually. The reason for this is that if you run "mount" 
manually, it runs unconfined (as do most programs, e.g. httpd) but if 
you run it from an initscript (as happens at boot time), the mount 
process transitions to the correct confined domain. So you get the 
denials at boot time but not when running "mount" manually. For this 
reason, I always now use "service netfs start" rather than "mount -a" 
after making changes to my filesystem layouts to check for SELinux issues.

Hope that clears it up.

Cheers, Paul.

More information about the fedora-selinux-list mailing list