Greetings,
while attempting to set up leafnode <http://leafnode.sourceforge.net> I
had a problem with mounting its spool, /var/spool/news:
Sep 14 00:36:11 camelot kernel: audit(1158186712.955:375): avc: denied
{ mounton } for pid=1353 comm="mount" name="news" dev=dm-3 ino=65600
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:news_spool_t:s0 tclass=dir
Using audit2why and then audit2allow I was able to come up with the
following .te policy:
module news 1.0;
require {
class dir mounton;
type mount_t;
type news_spool_t;
role system_r;
};
allow mount_t news_spool_t:dir mounton;
which to my untrained eye looked good. Researching the archives before
writing this, however, I came upon the answer for a similar problem:
https://www.redhat.com/archives/fedora-selinux-list/2006-August/msg00096.html
and found out that it would probably have been enough to label the
mount point mnt_t (haven't tried it yet). Assuming it works, how should
I have found out about it ? I tried rpm -qd and found out about the
selinux-policy documentation, but nothing showed up for the targeted
policy. In this context, isn't audit2allow somewhat ... dangerous ?
Or was it just a shortcoming in the leafnode RPM, so I should be looking
at what INN is doing instead ?
Thank you for your consideration,
Davide Bolcioni
--
There is no place like /home.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
