Re: problems with tmpfs and relabeling

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stephen Smalley (sds@xxxxxxxxxxxxx) said: 
> It may be necessary to add allow rules to enable the fscontext= mount to
> succeed, although I would have expected that to generate an avc denial
> if that were the issue (unless suppressed by a dontaudit, but that seems
> wrong).  You would need to allow <processdomain>
> <originalfstype>:filesystem relabelfrom; allow <processdomain>
> <newfstype>:filesystem relabelto;   Dan?

OK, once doing this, I get:

avc: denied { search } for pid=1688 comm="mount" name="/" dev=tmpfs ino=5444
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:fs_t:s0 
tclass=dir

And, then, expectedly, after fixing that, restorecon can't getattr/read/etc
fs_t.

I seem to be stuck in a neverending cascade of AVCs. What's generally
wrong here?

The usage model is this:

1) mount a tmpfs under /var somewhere
2) take a predefined list of dirs and files, and for each one:
   a) copy it to that tmpfs
   b) bind mount it over its original location
   c) restrorecon @ the original location, to get the contexts right

This shouldn't be *that* hard to get working with policy, should it?

Bill

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux