Hey all, A SE Linux newbie here. I am trying to learn SE Linux to fix this one issue we are having on our servers and I was hoping someone here might be able to give me some insight into the problem and tell me if I am following the correct line of thinking or not.

We have FC5 systems with an automount point that mounts a directory on our main server for the cluster. Inside this mountpoint are some directories, which contain a list of rpms. Each of these rpms is really just a symlink to another automount point that automounts a certain Fedora Core iso image which really contains the real rpm. This makes it really easy to install the rpms without having to scour all four FC5 cds manually.

The problem is that SE Linux doesn't seem to want us to mount the iso image automatically from nfs. When I directly use the mount command on the iso it mounts perfectly fine, but when I try to have the automounter mount it, it fails with the following error in /var/log/messages:

avc: denied { read } for pid=1709 comm="mount" name="FC3-i386-disc1.iso" dev=0:17 no=1188825 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file

After reading various SE Linux HOWTO's and pieces of documentation what it looks like to me (a SE Linux newbie) is that the mount_t domain does not have access to read files under the nfs_t domain security context. So after various reading I thought all I would have to do is create a domain transition from the mount_t domain to the nfs_t domain. I created the file /etc/selinux/strict/src/policy/domains/misc/mmae.te and added the following line:

domain_auto_trans(mount_t, mount_exec_t, nfs_t)

Unfortunatly, when I did a make load I got the following two errors

assertion on line 226661 violated by allow nfs_t mount_t:process { sigchld }; assertion on line 226508 violated by allow mount_t nfs_t:process { transition };

Line 226661 of policy.conf contains

neverallow ~{ domain unlabeled_t } *:process *;

and line 226508 of policy.conf contains

neverallow domain ~domain:process transition;

Unfortunatly, with my limited knowledge in SE Linux I am unsure of what is wrong with my statement, why it violates those two rules, what those two rules really mean and even if I am following the correct path. I also tried to switch mount_t and nfs_t in the domain_auto_trans function which resulted in the same assertions.

Finally, I decided to take a stab in the dark and try a different approach without dealing with domains. The only information I could deduce from those previous error messages were that one of those was not an actual domain. After looking at various entries in the policy.conf I commented out the domain transition and instead put in:

allow mount_t nfs_t:file { read };

thinking that this would allow processes in the mount_t security context to read files in the nfs_t context. I then ran make load, which didn't give any hassle, looked in the policy.conf to make sure it was listed in there (which it was), and tried again. It still gave the original error.

After reading various threads on mailing lists (found through google) I decided to try giving the main directory a different security context so it wasn't in the nfs_t domain. So I edited the /etc/auto.misc entry for the original mountpoint to include context=system_u:object_r:tmp_t, which failed with the message:

SELinux: security_context_to_sid(system_u:object_r/tmp_t) failed for (dev 0:17, type nfs) errno=-22

which I am guessing means it doesn't have access to change security contexts.

I am really stumped as to how to proceed from here. If anyone could give me any advice I would really appreciate it.

Thanks --Matthew Shapiro