/var/spool mount denied
Daniel J Walsh
dwalsh at redhat.com
Mon Oct 6 12:25:26 UTC 2008
Paul Howarth wrote:
> On Sat, 4 Oct 2008 22:50:10 +0400
> QingLong <qinglong at Bolizm.ihep.su> wrote:
>
>>> You have a somewhat unusual set of point points there.
>>>
>> Well, I know.
>> But I use to use different fs types and fs parameters (and mount
>> options) as various filesystem parts have different functionality and
>> operating modes. E.g. traditional news spool on a Usenet News server
>> needs lo-o-ots of inodes.
>
> /var/spool I can understand, but /var/lock and /var/run?
>
>>> Fix for now: reboot so that all "problem" filesystems are left
>>> unmounted (or manually unmount all of them), then change the context
>>> type of the mountpoint directories to mnt_t:
>>>
>>> # chcon -t mnt_t /var/run /var/spool /var/lock
>>>
>> Thank you.
>>
>> And a bit more questions, if you let me.
>> Once the problem is in the context of mount points,
>> then how does post-startup manual `mount -a' succeed?
>> I believe it would fail quite in the same manner, wouldn't it?
>
> No, because when you run "mount" manually like this, it runs
> "unconfined" - there is no transition to the mount_t domain in SELinux,
> and hence you're not affected. At boot time, mount is run from an
> initscript and the transition happens, so mount is constrained about
> what it can do by SELinux.
>
>> And why don't other ``unusual'' filesystems (I have several others)
>> fail in the same way, but get mounted during startup quite
>> successfully? Aren't there some race conditions?
>
> Many of the more commonly-used mountpoints are configured as such in
> SELinux policy (/var/spool/mail for instance) and don't cause problems.
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
setsebool -P allow_mount_anyfile 1
Should allow you to mount files/directories anywhere on your system
More information about the fedora-selinux-list
mailing list