max bianco wrote:
On Fri, Jul 25, 2008 at 8:18 PM, Paul Howarth <paul@xxxxxxxxxxxx> wrote:
On Fri, 25 Jul 2008 21:54:51 +0000 (UTC)
Mike <mike.cloaked@xxxxxxxxx> wrote:
Mike <mike.cloaked <at> gmail.com> writes:
Thanks everyone - I will try bind mounting this evening....
I got the /home pointing to /opt/Local/home just fine - but ...now
doing mail:
Having just been pretty pleased with myself for getting my system
running I now find a problem.... This question was also posted to
Fedora list.
First I have my home directory bind mounted from /home
to /opt/Local/home with no problems, and I bind mount using an fstab
entry like /opt/Local/home /home ext3 bind 0 0
The context for /home is system_u:object_r:home_root_t:s0
and for /opt/Local/home it is the same.
The mount works fine during boot - so I tried the same with my mail.
I have an fstab entry
/opt/Local/spool/mail /var/spool/mail ext3 bind 0 0
The context for /var/spool/mail is system_u:object_r:mail_spool_t:s0
and for /opt/Local/spool/mail it is also the same.
I can manually do
mount /var/spool/mail and the bind mount works fine.
However on boot I get an avc denial, with kernel: type=1400 and
and avc: denied {mounton} .... comm="mount" path="/var/spool/mail"
dev=sda5 ino=419655 scontext=system_u:system_r:mount_t:so
tcontext=system_u:object_r:mail_spool_t:so class=dir
I am not sure what to change to make this work?
First temporarily unmount the bind mount:
# umount /var/spool/mail
Then change the context of the original /var/spool/mail to make it
suitable for use as a mount point:
# chcon -t mnt_t /var/spool/mail
Mount at boot should now work. You can simulate this without actually
rebooting by doing:
# service netfs start
Cheers, Paul.
Could I trouble you to be slightly more verbose so novices like myself
can get a better handle on the solution, because otherwise every
situation even remotely like this is going to get this solution
applied and this may not always be appropriate or suitable.
Sure.
The underlying problem is that "mount", when run confined by SELinux, is
only allowed to mount filesystems on mount points that have specific
context types, such as mnt_t. If you set up your partitioning at install
time, the installer generally sets the context types of the directories
to be used as mount points correctly. However, if you change your
filesystem arrangement at a later date then the mount point directory
you're using will probably have some other context type, such as
mail_spool_t in this case, which mount isn't normally allowed to use as
a mount point, and you get the AVC denials and failure to mount as a
result. The fix is simply to label the mount point directory
appropriately for a mount point.
The other issue is why the original setup fails at boot time when it
works just fine manually. The reason for this is that if you run "mount"
manually, it runs unconfined (as do most programs, e.g. httpd) but if
you run it from an initscript (as happens at boot time), the mount
process transitions to the correct confined domain. So you get the
denials at boot time but not when running "mount" manually. For this
reason, I always now use "service netfs start" rather than "mount -a"
after making changes to my filesystem layouts to check for SELinux issues.
Hope that clears it up.
Cheers, Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
