Paul Howarth wrote:
> Eric Paris wrote:
>> On Wed, 2008-07-30 at 12:18 +0100, Paul Howarth wrote:
>>
>>> The underlying problem is that "mount", when run confined by SELinux,
>>> is only allowed to mount filesystems on mount points that have
>>> specific context types, such as mnt_t. If you set up your
>>> partitioning at install time, the installer generally sets the
>>> context types of the directories to be used as mount points
>>> correctly. However, if you change your filesystem arrangement at a
>>> later date then the mount point directory you're using will probably
>>> have some other context type, such as mail_spool_t in this case,
>>> which mount isn't normally allowed to use as a mount point, and you
>>> get the AVC denials and failure to mount as a result. The fix is
>>> simply to label the mount point directory appropriately for a mount
>>> point.
>>
>> setsebool -P allow_mount_anyfile 1
>>
>> should let him mount without any labeling changes right? You should be
>> able to find this boolean in system-config-selinux and setroubleshoot
>> should have suggested toggling this boolean.
>
> Yes, that should work too but would be more permissive than fixing the
> mountpoint context.
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I have decided to make these directories a mountpoint

files_mountpoint(mail_spool_t)


You could have generated a policy module with this and mount would have
been allowed also.

policy_module(myspool, 1.0.0)

gen_requires(`
type mail_spool_t;
')

files_mountpoint(mail_spool_t)

The beauty of SELinux, three ways to solve the same problem. :^)

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Paul Howarth wrote:



Sure.

The underlying problem is that "mount", when run confined by SELinux, is
only allowed to mount filesystems on mount points that have specific
context types, such as mnt_t. If you set up your partitioning at install
time, the installer generally sets the context types of the directories
to be used as mount points correctly. However, if you change your
filesystem arrangement at a later date then the mount point directory
you're using will probably have some other context type, such as
mail_spool_t in this case, which mount isn't normally allowed to use as
a mount point, and you get the AVC denials and failure to mount as a
result. The fix is simply to label the mount point directory
appropriately for a mount point.


The other issue is why the original setup fails at boot time when it
works just fine manually. The reason for this is that if you run "mount"
manually, it runs unconfined (as do most programs, e.g. httpd) but if
you run it from an initscript (as happens at boot time), the mount
process transitions to the correct confined domain. So you get the
denials at boot time but not when running "mount" manually. For this
reason, I always now use "service netfs start" rather than "mount -a"
after making changes to my filesystem layouts to check for SELinux issues.


Hope that clears it up.

Cheers, Paul.
Yes. Thanks. I did have another question but the replies below have
given me sufficient food for thought...for now :^)


Thanks again,

Max


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Daniel J Walsh <dwalsh <at> redhat.com> writes:

> I have decided to make these directories a mountpoint
>
> files_mountpoint(mail_spool_t)
>
> You could have generated a policy module with this and mount would have
> been allowed also.
>
> policy_module(myspool, 1.0.0)
>
> gen_requires(`
> type mail_spool_t;
> ')
>
> files_mountpoint(mail_spool_t)
>
> The beauty of SELinux, three ways to solve the same problem. :^)

Thanks for all these replies - I have learned a lot in the past few days...
... about SELinux... well at least a little less green than I was, and the
benefit is that I now have two f9 boxes with SELinux set to enforcing....

Mike


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list