Paul Howarth wrote: > Eric Paris wrote: >> On Wed, 2008-07-30 at 12:18 +0100, Paul Howarth wrote: >> >>> The underlying problem is that "mount", when run confined by SELinux, >>> is only allowed to mount filesystems on mount points that have >>> specific context types, such as mnt_t. If you set up your >>> partitioning at install time, the installer generally sets the >>> context types of the directories to be used as mount points >>> correctly. However, if you change your filesystem arrangement at a >>> later date then the mount point directory you're using will probably >>> have some other context type, such as mail_spool_t in this case, >>> which mount isn't normally allowed to use as a mount point, and you >>> get the AVC denials and failure to mount as a result. The fix is >>> simply to label the mount point directory appropriately for a mount >>> point. >> >> setsebool -P allow_mount_anyfile 1 >> >> should let him mount without any labeling changes right? You should be >> able to find this boolean in system-config-selinux and setroubleshoot >> should have suggested toggling this boolean. > > Yes, that should work too but would be more permissive than fixing the > mountpoint context. > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I have decided to make these directories a mountpoint files_mountpoint(mail_spool_t) You could have generated a policy module with this and mount would have been allowed also. policy_module(myspool, 1.0.0) gen_requires(` type mail_spool_t; ') files_mountpoint(mail_spool_t) The beauty of SELinux, three ways to solve the same problem. :^) -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
