On Thu, 2007-01-11 at 14:34 -0500, Matthew Shapiro wrote:
Hey all, A SE Linux newbie here. I am trying to learn SE Linux to
fix
this one issue we are having on our servers and I was hoping someone
here might be able to give me some insight into the problem and tell me
if I am following the correct line of thinking or not.
We have FC5 systems with an automount point that mounts a directory on
our main server for the cluster. Inside this mountpoint are some
directories, which contain a list of rpms. Each of these rpms is really
just a symlink to another automount point that automounts a certain
Fedora Core iso image which really contains the real rpm. This makes it
really easy to install the rpms without having to scour all four FC5 cds
manually.
The problem is that SE Linux doesn't seem to want us to mount the iso
image automatically from nfs. When I directly use the mount command on
the iso it mounts perfectly fine, but when I try to have the automounter
mount it, it fails with the following error in /var/log/messages:
avc: denied { read } for pid=1709 comm="mount"
name="FC3-i386-disc1.iso" dev=0:17 no=1188825
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=file
audit2allow -M local < /var/log/messages
semodule -i local.pp
After reading various SE Linux HOWTO's and pieces of
documentation
Did you look at the Fedora SELinux FAQ and wiki pages?
http://fedora.redhat.com/docs/selinux-faq-fc5/
http://fedoraproject.org/wiki/SELinux/
what
it looks like to me (a SE Linux newbie) is that the mount_t domain does
not have access to read files under the nfs_t domain security context.
So after various reading I thought all I would have to do is create a
domain transition from the mount_t domain to the nfs_t domain. I
created the file /etc/selinux/strict/src/policy/domains/misc/mmae.te and
Are you actually using strict policy? It isn't the default in Fedora.
added the following line:
domain_auto_trans(mount_t, mount_exec_t, nfs_t)
nfs_t is a file type, not a process domain, and you want to allow
mount_t to read nfs_t:file, not transition into it.
Finally, I decided to take a stab in the dark and try a different
approach without dealing with domains. The only information I could
deduce from those previous error messages were that one of those was not
an actual domain. After looking at various entries in the policy.conf I
commented out the domain transition and instead put in:
allow mount_t nfs_t:file { read };
That looks correct, and is what audit2allow would generate.
thinking that this would allow processes in the mount_t security
context
to read files in the nfs_t context. I then ran make load, which didn't
give any hassle, looked in the policy.conf to make sure it was listed in
there (which it was), and tried again. It still gave the original
error.
load_policy will always load the active policy, as defined
by /etc/selinux/config, which defaults to targeted. In which case it
never looked at your policy at all. Also, you want to use a loadable
policy module since FC5 (and later) supports them.
--
Stephen Smalley
National Security Agency