I'm experimenting with turning on Selinux for my FC5 desktops. I took a machine that was kickstated with "selinux --disabled", fully updated, edited /etc/sysconfig/selinux to change "disabled" to "enforcing", rebooted and waited for the relabel.
Upon boot I get this twice:
audit(1155677507.814:309): avc: denied { mounton } for pid=1566 comm="mount" name="mail" dev=dm-4 ino=393219 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir
/var/spool/mail is NFS supposed to be NFS mounted, but this AVC causes that mount to fail. (Yes, IMAP will be my savior, but some people here still use /bin/mail. Really.) What's odd is that I can log in as root and type "mount /var/spool/mail" and it mounts fine.
We also have NFS-mounted user home directories via autofs; the map is in LDAP and nscd is running. Every attempt to access a user home directory results in:
audit(1155738357.735:345): avc: denied { write } for pid=7344 comm="mount" name="socket" dev=dm-4 ino=131097 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file audit(1155738357.735:346): avc: denied { write } for pid=7344 comm="mount" name="socket" dev=dm-4 ino=131097 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file SELinux: initialized (dev 0:18, type nfs), uses genfs_contexts
and the mount actually succeeds.
On a whim I touched /.autorelabel and rebooted again; the AVCs are unchanged.
Again, fully updated FC5:
selinux-policy-targeted-2.3.3-8.fc5.noarch libselinux-1.30.3-4.fc5.i386 selinux-policy-2.3.3-8.fc5.noarch kernel-2.6.17-1.2174_FC5.i586
- J<
Jason L Tibbitts III wrote:
I'm experimenting with turning on Selinux for my FC5 desktops. I took a machine that was kickstated with "selinux --disabled", fully updated, edited /etc/sysconfig/selinux to change "disabled" to "enforcing", rebooted and waited for the relabel.
Upon boot I get this twice:
audit(1155677507.814:309): avc: denied { mounton } for pid=1566 comm="mount" name="mail" dev=dm-4 ino=393219 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir
/var/spool/mail is NFS supposed to be NFS mounted, but this AVC causes that mount to fail. (Yes, IMAP will be my savior, but some people here still use /bin/mail. Really.) What's odd is that I can log in as root and type "mount /var/spool/mail" and it mounts fine.
Unmount /var/spool/mail
Try: # service netfs start
This should try and fail to do the mount, just as it does at boot time.
Now try: # chcon -t mnt_t /var/spool/mail # service netfs start
This time it should work.
We also have NFS-mounted user home directories via autofs; the map is in LDAP and nscd is running. Every attempt to access a user home directory results in:
audit(1155738357.735:345): avc: denied { write } for pid=7344 comm="mount" name="socket" dev=dm-4 ino=131097 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file audit(1155738357.735:346): avc: denied { write } for pid=7344 comm="mount" name="socket" dev=dm-4 ino=131097 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file SELinux: initialized (dev 0:18, type nfs), uses genfs_contexts
and the mount actually succeeds.
What's the output of: # getsebool use_nfs_home_dirs
It's probably set or you'd be having lots of other failures. It may be something that needs dontaudit-ing since it's actually working OK.
Paul.
Paul Howarth wrote:
Jason L Tibbitts III wrote:
I'm experimenting with turning on Selinux for my FC5 desktops. I took a machine that was kickstated with "selinux --disabled", fully updated, edited /etc/sysconfig/selinux to change "disabled" to "enforcing", rebooted and waited for the relabel.
Upon boot I get this twice:
audit(1155677507.814:309): avc: denied { mounton } for pid=1566 comm="mount" name="mail" dev=dm-4 ino=393219 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir
/var/spool/mail is NFS supposed to be NFS mounted, but this AVC causes that mount to fail. (Yes, IMAP will be my savior, but some people here still use /bin/mail. Really.) What's odd is that I can log in as root and type "mount /var/spool/mail" and it mounts fine.
Unmount /var/spool/mail
Try: # service netfs start
This should try and fail to do the mount, just as it does at boot time.
Now try: # chcon -t mnt_t /var/spool/mail # service netfs start
This time it should work.
We also have NFS-mounted user home directories via autofs; the map is in LDAP and nscd is running. Every attempt to access a user home directory results in:
audit(1155738357.735:345): avc: denied { write } for pid=7344 comm="mount" name="socket" dev=dm-4 ino=131097 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file audit(1155738357.735:346): avc: denied { write } for pid=7344 comm="mount" name="socket" dev=dm-4 ino=131097 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file SELinux: initialized (dev 0:18, type nfs), uses genfs_contexts
and the mount actually succeeds.
What's the output of: # getsebool use_nfs_home_dirs
It's probably set or you'd be having lots of other failures. It may be something that needs dontaudit-ing since it's actually working OK.
Paul.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
No it should be allowed, mount is trying to use nscd to look at user records. Updated policy with this allow.
selinux@lists.fedoraproject.org