Paul Howarth wrote:
Sure.
The underlying problem is that "mount", when run confined by SELinux, is
only allowed to mount filesystems on mount points that have specific
context types, such as mnt_t. If you set up your partitioning at install
time, the installer generally sets the context types of the directories
to be used as mount points correctly. However, if you change your
filesystem arrangement at a later date then the mount point directory
you're using will probably have some other context type, such as
mail_spool_t in this case, which mount isn't normally allowed to use as
a mount point, and you get the AVC denials and failure to mount as a
result. The fix is simply to label the mount point directory
appropriately for a mount point.
The other issue is why the original setup fails at boot time when it
works just fine manually. The reason for this is that if you run "mount"
manually, it runs unconfined (as do most programs, e.g. httpd) but if
you run it from an initscript (as happens at boot time), the mount
process transitions to the correct confined domain. So you get the
denials at boot time but not when running "mount" manually. For this
reason, I always now use "service netfs start" rather than "mount -a"
after making changes to my filesystem layouts to check for SELinux issues.
Hope that clears it up.
Cheers, Paul.
Yes. Thanks. I did have another question but the replies below have
given me sufficient food for thought...for now :^)
Thanks again,
Max
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
