FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-24-2008, 09:41 PM
Mike
 
Default SELinux concerning /home symlink?

Mike <mike.cloaked <at> gmail.com> writes:

> Is the problem caused by the fact that the home area is symlinked from
> /home to /opt/Local/home ?

It turned out that I have managed to fix the issue by changing the contexts
of the files in /opt/Local/home/mike/.ssh to type user_home_t - and now
the ssh problem has gone away.

I was told by a helpful poster in Fedora list that the fact that my home
areas are on /opt would have resulted in inappropriate contexts for
/opt/Local/home since this would have been different if the partition had
been /home and not under /opt - this was indeed the case and changing
to user_home_t fixed this.

I therefore suspect that I should change all the contexts to the same type
in /opt/Local/home

Anyway problem solved for the moment... this kind of information may well
be useful to others who have atypical home areas for ease of doing upgrades.




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-24-2008, 10:00 PM
Craig White
 
Default SELinux concerning /home symlink?

On Thu, 2008-07-24 at 21:41 +0000, Mike wrote:
> Mike <mike.cloaked <at> gmail.com> writes:
>
> > Is the problem caused by the fact that the home area is symlinked from
> > /home to /opt/Local/home ?
>
> It turned out that I have managed to fix the issue by changing the contexts
> of the files in /opt/Local/home/mike/.ssh to type user_home_t - and now
> the ssh problem has gone away.
>
> I was told by a helpful poster in Fedora list that the fact that my home
> areas are on /opt would have resulted in inappropriate contexts for
> /opt/Local/home since this would have been different if the partition had
> been /home and not under /opt - this was indeed the case and changing
> to user_home_t fixed this.
>
> I therefore suspect that I should change all the contexts to the same type
> in /opt/Local/home
>
> Anyway problem solved for the moment... this kind of information may well
> be useful to others who have atypical home areas for ease of doing upgrades.
----
I would suggest that you would be far better off mounting the partition
you now called /opt as /home and then move stuff around...

i.e.

init 1
umount /opt
# then edit /etc/fstab so whatever partition mounts at /opt mounts
at /home
mount /home
cd /home
mv Local/home/* .
# then mv everything that belongs in /opt to /opt
# then init 3/5

Craig

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-24-2008, 10:57 PM
Todd Zullinger
 
Default SELinux concerning /home symlink?

Craig White wrote:
> I would suggest that you would be far better off mounting the
> partition you now called /opt as /home and then move stuff around...

Or bind mount /home to /opt/Local/home and then run restorecon -R
/home to apply the proper labels to /home.

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
The downside of being better than everyone else is that people tend to
assume you're pretentious.
-- Demotivators (www.despair.com)

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-25-2008, 07:10 AM
Mike
 
Default SELinux concerning /home symlink?

Todd Zullinger <tmz <at> pobox.com> writes:

> Or bind mount /home to /opt/Local/home and then run restorecon -R
> /home to apply the proper labels to /home.

Thanks everyone - I will try bind mounting this evening....

Mike




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-25-2008, 09:54 PM
Mike
 
Default SELinux concerning /home symlink?

Mike <mike.cloaked <at> gmail.com> writes:

> Thanks everyone - I will try bind mounting this evening....

I got the /home pointing to /opt/Local/home just fine - but ...now doing mail:

Having just been pretty pleased with myself for getting my system running
I now find a problem.... This question was also posted to Fedora list.

First I have my home directory bind mounted from /home to /opt/Local/home
with no problems, and I bind mount using an fstab entry like
/opt/Local/home /home ext3 bind 0 0

The context for /home is system_ubject_r:home_root_t:s0
and for /opt/Local/home it is the same.

The mount works fine during boot - so I tried the same with my mail.

I have an fstab entry
/opt/Local/spool/mail /var/spool/mail ext3 bind 0 0

The context for /var/spool/mail is system_ubject_r:mail_spool_t:s0
and for /opt/Local/spool/mail it is also the same.

I can manually do
mount /var/spool/mail and the bind mount works fine.

However on boot I get an avc denial, with kernel: type=1400 and
and avc: denied {mounton} .... comm="mount" path="/var/spool/mail"
dev=sda5 ino=419655 scontext=system_u:system_r:mount_t:so
tcontext=system_ubject_r:mail_spool_t:so class=dir

I am not sure what to change to make this work?




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-26-2008, 12:18 AM
Paul Howarth
 
Default SELinux concerning /home symlink?

On Fri, 25 Jul 2008 21:54:51 +0000 (UTC)
Mike <mike.cloaked@gmail.com> wrote:

> Mike <mike.cloaked <at> gmail.com> writes:
>
> > Thanks everyone - I will try bind mounting this evening....
>
> I got the /home pointing to /opt/Local/home just fine - but ...now
> doing mail:
>
> Having just been pretty pleased with myself for getting my system
> running I now find a problem.... This question was also posted to
> Fedora list.
>
> First I have my home directory bind mounted from /home
> to /opt/Local/home with no problems, and I bind mount using an fstab
> entry like /opt/Local/home /home ext3 bind 0 0
>
> The context for /home is system_ubject_r:home_root_t:s0
> and for /opt/Local/home it is the same.
>
> The mount works fine during boot - so I tried the same with my mail.
>
> I have an fstab entry
> /opt/Local/spool/mail /var/spool/mail ext3 bind 0 0
>
> The context for /var/spool/mail is system_ubject_r:mail_spool_t:s0
> and for /opt/Local/spool/mail it is also the same.
>
> I can manually do
> mount /var/spool/mail and the bind mount works fine.
>
> However on boot I get an avc denial, with kernel: type=1400 and
> and avc: denied {mounton} .... comm="mount" path="/var/spool/mail"
> dev=sda5 ino=419655 scontext=system_u:system_r:mount_t:so
> tcontext=system_ubject_r:mail_spool_t:so class=dir
>
> I am not sure what to change to make this work?

First temporarily unmount the bind mount:
# umount /var/spool/mail

Then change the context of the original /var/spool/mail to make it
suitable for use as a mount point:
# chcon -t mnt_t /var/spool/mail

Mount at boot should now work. You can simulate this without actually
rebooting by doing:
# service netfs start

Cheers, Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-26-2008, 08:27 AM
Mike
 
Default SELinux concerning /home symlink?

Paul Howarth <paul <at> city-fan.org> writes:

temporarily unmount the bind mount:
> # umount /var/spool/mail
>
> Then change the context of the original /var/spool/mail to make it
> suitable for use as a mount point:
> # chcon -t mnt_t /var/spool/mail
>
> Mount at boot should now work. You can simulate this without actually
> rebooting by doing:
> # service netfs start

Thank you Paul

I'll do this later today when I get back to the machine....

Much appreciated
Mike

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-30-2008, 11:18 AM
Paul Howarth
 
Default SELinux concerning /home symlink?

max bianco wrote:

On Fri, Jul 25, 2008 at 8:18 PM, Paul Howarth <paul@city-fan.org> wrote:

On Fri, 25 Jul 2008 21:54:51 +0000 (UTC)
Mike <mike.cloaked@gmail.com> wrote:


Mike <mike.cloaked <at> gmail.com> writes:


Thanks everyone - I will try bind mounting this evening....

I got the /home pointing to /opt/Local/home just fine - but ...now
doing mail:

Having just been pretty pleased with myself for getting my system
running I now find a problem.... This question was also posted to
Fedora list.

First I have my home directory bind mounted from /home
to /opt/Local/home with no problems, and I bind mount using an fstab
entry like /opt/Local/home /home ext3 bind 0 0

The context for /home is system_ubject_r:home_root_t:s0
and for /opt/Local/home it is the same.

The mount works fine during boot - so I tried the same with my mail.

I have an fstab entry
/opt/Local/spool/mail /var/spool/mail ext3 bind 0 0

The context for /var/spool/mail is system_ubject_r:mail_spool_t:s0
and for /opt/Local/spool/mail it is also the same.

I can manually do
mount /var/spool/mail and the bind mount works fine.

However on boot I get an avc denial, with kernel: type=1400 and
and avc: denied {mounton} .... comm="mount" path="/var/spool/mail"
dev=sda5 ino=419655 scontext=system_u:system_r:mount_t:so
tcontext=system_ubject_r:mail_spool_t:so class=dir

I am not sure what to change to make this work?

First temporarily unmount the bind mount:
# umount /var/spool/mail

Then change the context of the original /var/spool/mail to make it
suitable for use as a mount point:
# chcon -t mnt_t /var/spool/mail

Mount at boot should now work. You can simulate this without actually
rebooting by doing:
# service netfs start

Cheers, Paul.


Could I trouble you to be slightly more verbose so novices like myself
can get a better handle on the solution, because otherwise every
situation even remotely like this is going to get this solution
applied and this may not always be appropriate or suitable.


Sure.

The underlying problem is that "mount", when run confined by SELinux, is
only allowed to mount filesystems on mount points that have specific
context types, such as mnt_t. If you set up your partitioning at install
time, the installer generally sets the context types of the directories
to be used as mount points correctly. However, if you change your
filesystem arrangement at a later date then the mount point directory
you're using will probably have some other context type, such as
mail_spool_t in this case, which mount isn't normally allowed to use as
a mount point, and you get the AVC denials and failure to mount as a
result. The fix is simply to label the mount point directory
appropriately for a mount point.


The other issue is why the original setup fails at boot time when it
works just fine manually. The reason for this is that if you run "mount"
manually, it runs unconfined (as do most programs, e.g. httpd) but if
you run it from an initscript (as happens at boot time), the mount
process transitions to the correct confined domain. So you get the
denials at boot time but not when running "mount" manually. For this
reason, I always now use "service netfs start" rather than "mount -a"
after making changes to my filesystem layouts to check for SELinux issues.


Hope that clears it up.

Cheers, Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-30-2008, 01:47 PM
Eric Paris
 
Default SELinux concerning /home symlink?

On Wed, 2008-07-30 at 12:18 +0100, Paul Howarth wrote:

> The underlying problem is that "mount", when run confined by SELinux, is
> only allowed to mount filesystems on mount points that have specific
> context types, such as mnt_t. If you set up your partitioning at install
> time, the installer generally sets the context types of the directories
> to be used as mount points correctly. However, if you change your
> filesystem arrangement at a later date then the mount point directory
> you're using will probably have some other context type, such as
> mail_spool_t in this case, which mount isn't normally allowed to use as
> a mount point, and you get the AVC denials and failure to mount as a
> result. The fix is simply to label the mount point directory
> appropriately for a mount point.

setsebool -P allow_mount_anyfile 1

should let him mount without any labeling changes right? You should be
able to find this boolean in system-config-selinux and setroubleshoot
should have suggested toggling this boolean.

-Eric

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-30-2008, 02:05 PM
Paul Howarth
 
Default SELinux concerning /home symlink?

Eric Paris wrote:

On Wed, 2008-07-30 at 12:18 +0100, Paul Howarth wrote:

The underlying problem is that "mount", when run confined by SELinux, is
only allowed to mount filesystems on mount points that have specific
context types, such as mnt_t. If you set up your partitioning at install
time, the installer generally sets the context types of the directories
to be used as mount points correctly. However, if you change your
filesystem arrangement at a later date then the mount point directory
you're using will probably have some other context type, such as
mail_spool_t in this case, which mount isn't normally allowed to use as
a mount point, and you get the AVC denials and failure to mount as a
result. The fix is simply to label the mount point directory
appropriately for a mount point.


setsebool -P allow_mount_anyfile 1

should let him mount without any labeling changes right? You should be
able to find this boolean in system-config-selinux and setroubleshoot
should have suggested toggling this boolean.


Yes, that should work too but would be more permissive than fixing the
mountpoint context.


Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:37 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org