-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen Smalley wrote:
> On Fri, 2009-01-30 at 15:45 -0800, Clarkson, Mike R (US SSA) wrote:
>> I got the following AVC denial in the audit logs and I'm wondering what
>> would cause this:
>>
>> type=AVC msg=audit(1232734163.528:997720):avc: denied { mount } for
>> pid=28016 comm="find" name="/" dev=0:1c ino=0
>> scontext=root:staff_r:libstart_t:s0-s4:c0.c255
>> tcontext=system_u:object_r:nfs_t:s0 tclass=filesystem
>>
>> The program running in the libstart_t domain is using the "find" cmd,
>> and find is requiring the "mount" permission. Could this be caused by
>> "find" traversing into an automounted (NFS) directory? But in that case
>> I would expect the automount daemon, which is running in the automount_t
>> domain, to do the mounting.
>
> Could be a nfs submount, triggered upon traversing the boundary?
>
We had this happen on another bug report, and I think it is just wrong.
Since automounter could mount any file system or any file for that
matter, this means in order to make this work, any confined domain that
could traverse a directory that is automounted could fail with an AVC
like the above.
guest_t cd to /mynfs Would fail????
automount is doing the mount so the kernel should say automount not
libstart_t.
I think this is a bug in the kernel.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmHQzEACgkQrlYvE4MpobMO3ACfW9FgbwW8kyxyFTmuxP3tQDGn
UBkAn2UvIjC0A+vEo21ZpA/WhjVR8Y7R
=6luP
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
