mount ? - selinux - Fedora Mailing-Lists

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

mount ?

get the red and green back (really...

mailman...

Tom London

Thursday, 16 September 2004 Thu, 16 Sep '04

12:37 p.m.

Running strict/enforcing, with latest from Dan's tree. The 'mount' command produces no output when run in enforcing mode. Works fine in permissive mode. No AVCs produced..... tom

Reply

Show replies by date

Daniel J Walsh

Thursday, 16 September Thu, 16 Sep

12:46 p.m.

Tom London wrote:

Running strict/enforcing, with latest from Dan's tree. The 'mount' command produces no output when run in enforcing mode. Works fine in permissive mode. No AVCs produced..... tom -- fedora-selinux-list mailing list fedora-selinux-list(a)redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list

Try mount | cat Problem is sysadm is transitioning to the mount command which is not allowed to write to tty devices. Normal users don't have the problem since they don't transition to mount. Not sure how to solve. Dan

Reply

Stephen Smalley

1:08 p.m.

On Thu, 2004-09-16 at 13:46, Daniel J Walsh wrote:

Problem is sysadm is transitioning to the mount command which is not allowed to write to tty devices. Normal users don't have the problem since they don't transition to mount. Not sure how to solve.

You can allow mount_t to rw admin_tty_type:chr_file; it isn't the same situation as with a daemon where you want to prevent a compromised daemon from being able to access it. -- Stephen Smalley <sds(a)epoch.ncsc.mil> National Security Agency

Reply

Daniel J Walsh

12:51 p.m.

Tom London wrote:

Running strict/enforcing, with latest from Dan's tree. The 'mount' command produces no output when run in enforcing mode. Works fine in permissive mode. No AVCs produced..... tom -- fedora-selinux-list mailing list fedora-selinux-list(a)redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list

Try this. diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.17.17/domains/program/mount.te --- nsapolicy/domains/program/mount.te 2004-09-14 09:18:10.000000000 -0400 +++ policy-1.17.17/domains/program/mount.te 2004-09-16 13:50:45.899174425 -0400 @@ -93,7 +93,8 @@ allow mount_t file_type:filesystem { unmount mount relabelto }; allow mount_t mnt_t:dir { getattr }; -dontaudit mount_t { userdomain kernel_t}:fd use; +allow mount_t { userdomain }:fd use; +dontaudit mount_t { kernel_t}:fd use; can_exec(mount_t, { sbin_t bin_t }) allow mount_t device_t:dir r_dir_perms; ifdef(`distro_redhat', `

Reply

Tom London

1:11 p.m.

1. 'mount | cat' indeed works. 2. 'mount' from normal user also works. 3. patch applied and works! Thanks! tom On Thu, 16 Sep 2004 13:51:32 -0400, Daniel J Walsh <dwalsh(a)redhat.com> wrote:

Tom London wrote: > Running strict/enforcing, with latest from Dan's tree. > > The 'mount' command produces no output when run in enforcing mode. > Works fine in permissive mode. > > No AVCs produced..... > > tom > > > -- > fedora-selinux-list mailing list > fedora-selinux-list(a)redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list Try this. diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.17.17/domains/program/mount.te --- nsapolicy/domains/program/mount.te 2004-09-14 09:18:10.000000000 -0400 +++ policy-1.17.17/domains/program/mount.te 2004-09-16 13:50:45.899174425 -0400 @@ -93,7 +93,8 @@ allow mount_t file_type:filesystem { unmount mount relabelto }; allow mount_t mnt_t:dir { getattr }; -dontaudit mount_t { userdomain kernel_t}:fd use; +allow mount_t { userdomain }:fd use; +dontaudit mount_t { kernel_t}:fd use; can_exec(mount_t, { sbin_t bin_t }) allow mount_t device_t:dir r_dir_perms; ifdef(`distro_redhat', ` -- fedora-selinux-list mailing list fedora-selinux-list(a)redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list

-- Tom London

Reply

Russell Coker

Thursday, 23 September Thu, 23 Sep

7:51 a.m.

On Fri, 17 Sep 2004 03:51, Daniel J Walsh <dwalsh(a)redhat.com> wrote:

Tom London wrote: > Running strict/enforcing, with latest from Dan's tree. > > The 'mount' command produces no output when run in enforcing mode. > Works fine in permissive mode. Try this. diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.17.17/domains/program/mount.te --- nsapolicy/domains/program/mount.te 2004-09-14 09:18:10.000000000 -0400 +++ policy-1.17.17/domains/program/mount.te 2004-09-16 13:50:45.899174425 -0400 @@ -93,7 +93,8 @@ allow mount_t file_type:filesystem { unmount mount relabelto }; allow mount_t mnt_t:dir { getattr }; -dontaudit mount_t { userdomain kernel_t}:fd use; +allow mount_t { userdomain }:fd use; +dontaudit mount_t { kernel_t}:fd use;

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=132914 This is a bug in su which we have to get fixed. In the mean time it's best to have ifdef(`distro_redhat' around that as no other distribution has this issue. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page

Reply

7163

days inactive

7170

days old

selinux@lists.fedoraproject.org

Manage subscription

5 comments

5 participants

tags (0)

participants (5)

Daniel J Walsh
Russell Coker
Stephen Smalley
Tom London
Tom London