SELinux denying chcon -- OUCH!
Stephen Smalley
sds at tycho.nsa.gov
Tue Mar 28 20:45:31 UTC 2006
On Tue, 2006-03-28 at 12:51 -0600, Ian Pilcher wrote:
> A little background -- I have my music collection stored on 5 reiserfs
> filesystems, on top of five separate software RAID devices (md4-md8). I
> use httpd to make them available on my *home* network (and if the RIAA
> has a problem with that they can kiss my lilly-white...sorry). I
> generally mount them as /var/www/html/music/music{0,1,2,3,4}.
>
> Today I rebooted my system (Fedora Core 5, fully updated) and got some
> bizarre warnings about being unable to mount a block device read-only.
> Sure enough...
>
> audit(1143570731.388:11): avc: denied { mounton } for pid=1703
> comm="mount" name="music0" dev=md1 ino=131232
> scontext=system_u:system_r:mount_t:s0
> tcontext=root:object_r:httpd_sys_content_t:s0 tclass=dir
>
> Hmm, looks like a special context is now needed for mount points. I can
> see why that might be a good idea, so...
>
> chcon system_u:system_r:mount_t /var/www/html/music/*
>
> chcon: failed to change context of /var/www/html/music/music0 to
> system_u:system_r:mount_t: Permission denied
>
> type=AVC msg=audit(1143571740.714:59): avc: denied { relabelto } for
> pid=3036 comm="chcon" name="music0" dev=md1 ino=131232
> scontext=user_u:system_r:unconfined_t:s0-s0:c0.c255
> tcontext=system_u:system_r:mount_t:s0 tclass=dir
>
> This is either a learning opportunity for me, or a serious problem. I
> can't wait to find out which.
mount_t is a domain - a type for a process running the mount program.
Not a file type to assign to mount point directories. Not sure what
type to recommend for what you describe - Dan? Likely need a generic
mnt_t or similar with the mountpoint attribute?
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list