Stephen Smalley wrote:
On Wed, 2006-03-29 at 13:34 -0600, Ian Pilcher wrote:Sorry about the delay...jury duty. Just tried again to be sure: mkfs.reiserfs /dev/md9 /etc/fstab contains: /dev/md9 /mnt/tmp reiserfs context=system_u:object_r:file_t:s0 0 2 Rebooted and the mount failed. dmesg | grep md9 shows: audit(1143660461.416:15): avc: denied { search } for pid=1714 comm="mount" name="/" dev=md9 ino=2 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir ReiserFS: md9: warning: xattrs/ACLs enabled and couldn't find/create .reiserfs_priv. Failing mount. It doesn't look like the context option had any affect at all.I think we are encountering the denial before we reach the processing of the context option. The setup of the superblock security data and the root directory security data happens upon security_sb_kern_mount, but this is called after the filesystem returns from its get_sb method. Unfortunately, reiserfs apparently tries to access the xattr directory during get_sb, so there is an attempted lookup before SELinux has initialized the security state on the root directory, and we get a denial on unlabeled_t. I guess you need to allow mount_t unlabeled_t:dir search; to workaround it.
Should we allow this in policy? -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
