[refpolicy] [PATCH 1/1] Allow mount to work on all file locations

Sven Vermeulen sven.vermeulen at siphos.be
Wed Sep 7 14:23:22 CDT 2011


On Tue, Sep 06, 2011 at 02:36:52PM -0400, Christopher J. PeBenito wrote:
> On 09/04/11 08:21, Sven Vermeulen wrote:
> > In order for mount to work with all file locations, it needs
> > relabelfrom privileges as well (next to the relabelto ones).
> > 
> > The same patch is also already present in fedora's repository.
> 
> I don't understand this, can you explain further?  This rule is for
> context mounts, in which it would be relabeling from any filesystem
> type to a file type.  When would it relabel from a file type?

It is indeed with a context mount that we encountered the issue (see
https://bugs.gentoo.org/show_bug.cgi?id=373673#c4)

It can be easily reproduced even on non-NFS:

build log # mount -t tmpfs -o context=system_u:object_r:portage_ebuild_t tmpfs /mnt
mount: block device tmpfs is write-protected, mounting read-only
mount: cannot mount block device tmpfs read-only

build log # cat avc.log 
Sep  7 21:22:17 build kernel: [ 3814.028379] type=1400
audit(1315423337.025:106): avc:  denied  { relabelfrom } for  pid=3736
comm="mount" scontext=root:sysadm_r:mount_t
tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem
Sep  7 21:22:17 build kernel: [ 3814.036543] type=1400
audit(1315423337.034:107): avc:  denied  { relabelfrom } for  pid=3736
comm="mount" scontext=root:sysadm_r:mount_t
tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem

With the relabelfrom privilege the mount works as expected.

Wkr,
	Sven Vermeulen


More information about the refpolicy mailing list