A couple of mount AVCs

[Jason L Tibbitts III]

I'm experimenting with turning on Selinux for my FC5 desktops.  I took
a machine that was kickstated with "selinux --disabled", fully
updated, edited /etc/sysconfig/selinux to change "disabled" to
"enforcing", rebooted and waited for the relabel.

Upon boot I get this twice:

audit(1155677507.814:309): avc:  denied  { mounton } for  pid=1566 comm="mount" name="mail" dev=dm-4 ino=393219 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir

/var/spool/mail is NFS supposed to be NFS mounted, but this AVC causes
that mount to fail.  (Yes, IMAP will be my savior, but some people
here still use /bin/mail.  Really.)  What's odd is that I can log in
as root and type "mount /var/spool/mail" and it mounts fine.

We also have NFS-mounted user home directories via autofs; the map is
in LDAP and nscd is running.  Every attempt to access a user home
directory results in:

audit(1155738357.735:345): avc:  denied  { write } for  pid=7344 comm="mount" name="socket" dev=dm-4 ino=131097 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file
audit(1155738357.735:346): avc:  denied  { write } for  pid=7344 comm="mount" name="socket" dev=dm-4 ino=131097 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file
SELinux: initialized (dev 0:18, type nfs), uses genfs_contexts

and the mount actually succeeds.

On a whim I touched /.autorelabel and rebooted again; the AVCs are
unchanged.

Again, fully updated FC5:

selinux-policy-targeted-2.3.3-8.fc5.noarch
libselinux-1.30.3-4.fc5.i386
selinux-policy-2.3.3-8.fc5.noarch
kernel-2.6.17-1.2174_FC5.i586

 - J<