FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-13-2008, 10:41 AM
Frank Murphy
 
Default Can an ISO be specified allow mount "setsebool -P allow_mount_iso=1" insted of "setsebool -P allow_mount_anyfile=1" SE context samba share

Summary:

SELinux prevented mount from mounting on the file or directory
"./Fedora-9-Everything-i386-DVD1.iso" (type "samba_share_t").

Detailed Description:

SELinux prevented mount from mounting a filesystem on the file or
directory
"./Fedora-9-Everything-i386-DVD1.iso" of type "samba_share_t". By
default
SELinux limits the mounting of filesystems to only some files or
directories
(those with types that have the mountpoint attribute). The type
"samba_share_t"
does not have this attribute. You can either relabel the file or
directory or
set the boolean "allow_mount_anyfile" to true to allow mounting on any
file or
directory.

Allowing Access:

Changing the "allow_mount_anyfile" boolean to true will allow this
access:
"setsebool -P allow_mount_anyfile=1."

The following command will allow this access:

setsebool -P allow_mount_anyfile=1

Additional Information:

Source Context system_u:system_r:mount_t
Target Context user_ubject_r:samba_share_t
Target Objects ./Fedora-9-Everything-i386-DVD1.iso
[ file ]
Source mount
Source Path /bin/mount
Port <Unknown>
Host server-01
Source RPM Packages util-linux-2.13-0.47.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_mount_anyfile
Host Name server-01
Platform Linux server-01 2.6.18-92.1.6.el5 #1 SMP
Wed Jun
25 13:49:24 EDT 2008 i686 athlon
Alert Count 3
First Seen Sun 13 Jul 2008 10:26:26 IST
Last Seen Sun 13 Jul 2008 11:07:49 IST
Local ID 268bdb54-5d8d-4c81-b7ba-0392b5cea34e
Line Numbers

Raw Audit Messages

host=server-01 type=AVC msg=audit(1215943669.186:14): avc: denied
{ write } for pid=2898 comm="mount"
name="Fedora-9-Everything-i386-DVD1.iso" dev=md2 ino=8585227
scontext=system_u:system_r:mount_t:s0
tcontext=user_ubject_r:samba_share_t:s0 tclass=file

host=server-01 type=SYSCALL msg=audit(1215943669.186:14): arch=40000003
syscall=5 success=no exit=-13 a0=9fd5450 a1=8002 a2=0 a3=8002 items=0
ppid=2877 pid=2898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount"
exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-13-2008, 10:42 AM
Frank Murphy
 
Default Can an ISO be specified allow mount "setsebool -P allow_mount_iso=1" insted of "setsebool -P allow_mount_anyfile=1" SE context samba share

Summary:

SELinux prevented mount from mounting on the file or directory
"./Fedora-9-Everything-i386-DVD1.iso" (type "samba_share_t").

Detailed Description:

SELinux prevented mount from mounting a filesystem on the file or
directory
"./Fedora-9-Everything-i386-DVD1.iso" of type "samba_share_t". By
default
SELinux limits the mounting of filesystems to only some files or
directories
(those with types that have the mountpoint attribute). The type
"samba_share_t"
does not have this attribute. You can either relabel the file or
directory or
set the boolean "allow_mount_anyfile" to true to allow mounting on any
file or
directory.

Allowing Access:

Changing the "allow_mount_anyfile" boolean to true will allow this
access:
"setsebool -P allow_mount_anyfile=1."

The following command will allow this access:

setsebool -P allow_mount_anyfile=1

Additional Information:

Source Context system_u:system_r:mount_t
Target Context user_ubject_r:samba_share_t
Target Objects ./Fedora-9-Everything-i386-DVD1.iso
[ file ]
Source mount
Source Path /bin/mount
Port <Unknown>
Host server-01
Source RPM Packages util-linux-2.13-0.47.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_mount_anyfile
Host Name server-01
Platform Linux server-01 2.6.18-92.1.6.el5 #1 SMP
Wed Jun
25 13:49:24 EDT 2008 i686 athlon
Alert Count 3
First Seen Sun 13 Jul 2008 10:26:26 IST
Last Seen Sun 13 Jul 2008 11:07:49 IST
Local ID 268bdb54-5d8d-4c81-b7ba-0392b5cea34e
Line Numbers

Raw Audit Messages

host=server-01 type=AVC msg=audit(1215943669.186:14): avc: denied
{ write } for pid=2898 comm="mount"
name="Fedora-9-Everything-i386-DVD1.iso" dev=md2 ino=8585227
scontext=system_u:system_r:mount_t:s0
tcontext=user_ubject_r:samba_share_t:s0 tclass=file

host=server-01 type=SYSCALL msg=audit(1215943669.186:14): arch=40000003
syscall=5 success=no exit=-13 a0=9fd5450 a1=8002 a2=0 a3=8002 items=0
ppid=2877 pid=2898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount"
exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-13-2008, 05:32 PM
Frank Murphy
 
Default Can an ISO be specified allow mount "setsebool -P allow_mount_iso=1" insted of "setsebool -P allow_mount_anyfile=1" SE context samba share

On Sun, 2008-07-13 at 11:49 -0400, Filipe Brandenburger wrote:
> Hi,
>
> Please try to be more specific about what you are trying to do, how
> you are trying to do it, what you expected, what is going wrong, and
> what you tried to do to repair it. Your previous mail looks like the
> output of a tool, I don't even know which. Knowing that would help
> solve your issue.

tool: setroubleshoot.noarch :: gui helps solve selinux problesm either
RedhatFedora epel or rpmforge dl

>
> >From what I see, you are trying to mount an .iso file in a target
> directory inside Samba's tree, and SELinux is denying that (with the
> AVC you showed on your original message).

The 4 isos are shared to Fedora clients using samba, everyfile under the
shared main mountpoint has SElinux samba shared context.


>
> SELinux complains because the target directory is not marked with the
> "mnt_t" type and, for security, it restricts mounting filesystems only
> to directories with that type.
>

That is probably what I'm looking for

> To change that, you could use "chcon" to set the type to the directory
> where you want to mount your iso.
>
> # chcon -t mnt_t /path/to/mountpoint
> # mount -o loop,ro /path/to/iso/Fedora.iso /path/to/mountpoint
>
> You can use ls -Z (or if it's a directory ls -dZ) to verify the
> SELinux user:role:type of the file.
>
> Please let us know how that works for you.
>

Will give a good check in the am.

> HTH,
> Filipe

Frank

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-14-2008, 08:24 AM
Frank Murphy
 
Default Can an ISO be specified allow mount "setsebool -P allow_mount_iso=1" insted of "setsebool -P allow_mount_anyfile=1" SE context samba share

On Sun, 2008-07-13 at 20:57 +0100, Paul Howarth wrote:
> On Sun, 13 Jul 2008 11:41:34 +0100
> Frank Murphy <frankly3d@gmail.com> wrote:
>

> This is normal; you need to set the context type of the mountpoint
> directory to mnt_t. You may also want to set the context for the
> mounted ISO image too if you want to share it out using samba, http,
> etc. See http://www.city-fan.org/tips/SubsetRepositoriesFedora9
>
> Paul.

That did it thanks.
the se stuff in fstab did it, along with mnt_t

Clients can now see isos.

Frank

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 01:52 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org