Can an ISO be specified allow mount "setsebool -P allow_mount_iso=1" insted of "setsebool -P allow_mount_anyfile=1" SE context samba share
Summary:
SELinux prevented mount from mounting on the file or directory "./Fedora-9-Everything-i386-DVD1.iso" (type "samba_share_t").
Detailed Description:
SELinux prevented mount from mounting a filesystem on the file or directory "./Fedora-9-Everything-i386-DVD1.iso" of type "samba_share_t". By default SELinux limits the mounting of filesystems to only some files or directories (those with types that have the mountpoint attribute). The type "samba_share_t" does not have this attribute. You can either relabel the file or directory or set the boolean "allow_mount_anyfile" to true to allow mounting on any file or directory.
Allowing Access:
Changing the "allow_mount_anyfile" boolean to true will allow this access: "setsebool -P allow_mount_anyfile=1."
The following command will allow this access:
setsebool -P allow_mount_anyfile=1
Additional Information:
Source Context system_u:system_r:mount_t Target Context user_u:object_r:samba_share_t Target Objects ./Fedora-9-Everything-i386-DVD1.iso [ file ] Source mount Source Path /bin/mount Port <Unknown> Host server-01 Source RPM Packages util-linux-2.13-0.47.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.1.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_mount_anyfile Host Name server-01 Platform Linux server-01 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT 2008 i686 athlon Alert Count 3 First Seen Sun 13 Jul 2008 10:26:26 IST Last Seen Sun 13 Jul 2008 11:07:49 IST Local ID 268bdb54-5d8d-4c81-b7ba-0392b5cea34e Line Numbers
Raw Audit Messages
host=server-01 type=AVC msg=audit(1215943669.186:14): avc: denied { write } for pid=2898 comm="mount" name="Fedora-9-Everything-i386-DVD1.iso" dev=md2 ino=8585227 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:samba_share_t:s0 tclass=file
host=server-01 type=SYSCALL msg=audit(1215943669.186:14): arch=40000003 syscall=5 success=no exit=-13 a0=9fd5450 a1=8002 a2=0 a3=8002 items=0 ppid=2877 pid=2898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)
Hi,
Please try to be more specific about what you are trying to do, how you are trying to do it, what you expected, what is going wrong, and what you tried to do to repair it. Your previous mail looks like the output of a tool, I don't even know which. Knowing that would help solve your issue.
From what I see, you are trying to mount an .iso file in a target
directory inside Samba's tree, and SELinux is denying that (with the AVC you showed on your original message).
SELinux complains because the target directory is not marked with the "mnt_t" type and, for security, it restricts mounting filesystems only to directories with that type.
To change that, you could use "chcon" to set the type to the directory where you want to mount your iso.
# chcon -t mnt_t /path/to/mountpoint # mount -o loop,ro /path/to/iso/Fedora.iso /path/to/mountpoint
You can use ls -Z (or if it's a directory ls -dZ) to verify the SELinux user:role:type of the file.
Please let us know how that works for you.
HTH, Filipe
On Sun, 2008-07-13 at 11:49 -0400, Filipe Brandenburger wrote:
Hi,
Please try to be more specific about what you are trying to do, how you are trying to do it, what you expected, what is going wrong, and what you tried to do to repair it. Your previous mail looks like the output of a tool, I don't even know which. Knowing that would help solve your issue.
tool: setroubleshoot.noarch :: gui helps solve selinux problesm either Redhat\Fedora epel or rpmforge d\l
From what I see, you are trying to mount an .iso file in a target
directory inside Samba's tree, and SELinux is denying that (with the AVC you showed on your original message).
The 4 isos are shared to Fedora clients using samba, everyfile under the shared main mountpoint has SElinux samba shared context.
SELinux complains because the target directory is not marked with the "mnt_t" type and, for security, it restricts mounting filesystems only to directories with that type.
That is probably what I'm looking for
To change that, you could use "chcon" to set the type to the directory where you want to mount your iso.
# chcon -t mnt_t /path/to/mountpoint # mount -o loop,ro /path/to/iso/Fedora.iso /path/to/mountpoint
You can use ls -Z (or if it's a directory ls -dZ) to verify the SELinux user:role:type of the file.
Please let us know how that works for you.
Will give a good check in the am.
HTH, Filipe
Frank
-
Filipe Brandenburger -
Frank Murphy