Re: Selinux disallows read-only loop mount of a file, but only at boot [SOLVED]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



David wrote:
> I'm attempting to mount a loop device (a ro file) at boot using fstab.
> My fstab entry works fine from the command line, but it fails at boot
> time due to a selinux avc error. I assume this is due to incorrect
> file context. The file is under a nonstandard top level directory, so
> I need to specifically assign it the correct file context, which I
> would do if I could figure out what it ought to be.
>   

mount_loopback_t.

The reason why

cat /etc/selinux/targeted/contexts/files/file_contexts | grep mount

did not give the answer is because there are no files installed by
default with that label.


> Where do I look on the system to discover what is the correct file
> context required by mount at boot time?
>   

[Disclaimer: the commands below were run on a F10 box.  Try them on your
box to verify.]

Method 1:  use the sesearch command to find rules in the policy.

# yum install setools-console
# man sesearch
# sesearch -A -s mount_t -c file -p read  |  grep loop
allow mount_t mount_loopback_t : file { ioctl read getattr lock } ;
#

If you leave off the "grep loop" you get a much longer list of things
mount_t is allowed to read, but you can still find mount_loopback_t, 
sorting the list helps.



Method 2:  look at the refpolicy source.

# yum install yum-utils
# cd ~
# yumdownloader --source selinux-policy
# rpm -i selinux-policy-*.src.rpm
# cd rpmbuild/SOURCES
# tar ztf serefpolicy-3.5.13.tgz | grep mount
serefpolicy-3.5.13/policy/modules/services/automount.fc
serefpolicy-3.5.13/policy/modules/services/automount.te
serefpolicy-3.5.13/policy/modules/services/automount.if
serefpolicy-3.5.13/policy/modules/system/mount.fc
serefpolicy-3.5.13/policy/modules/system/mount.if
serefpolicy-3.5.13/policy/modules/system/mount.te
# tar zxf serefpolicy-3.5.13.tgz  --wildcards --no-anchored '*/mount.te'
# grep loop serefpolicy-3.5.13/policy/modules/system/mount.te
type mount_loopback_t; # customizable
files_type(mount_loopback_t)
allow mount_t mount_loopback_t:file read_file_perms;
#

Again, if you didn't know to grep for "loop" you could read the whole
.te file.  The three lines above all appear on the first page of the file.


Method 3: browse the refpolicy source online:
http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/system/mount.te

 


-- 
Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
National Security Agency

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux