[refpolicy] [PATCH 1/1] Allow mount to work on all file locations

Christopher J. PeBenito cpebenito at tresys.com
Thu Sep 8 12:12:28 CDT 2011


On 9/7/2011 3:23 PM, Sven Vermeulen wrote:
> On Tue, Sep 06, 2011 at 02:36:52PM -0400, Christopher J. PeBenito wrote:
>> On 09/04/11 08:21, Sven Vermeulen wrote:
>>> In order for mount to work with all file locations, it needs
>>> relabelfrom privileges as well (next to the relabelto ones).
>>>
>>> The same patch is also already present in fedora's repository.
>>
>> I don't understand this, can you explain further?  This rule is for
>> context mounts, in which it would be relabeling from any filesystem
>> type to a file type.  When would it relabel from a file type?
>
> It is indeed with a context mount that we encountered the issue (see
> https://bugs.gentoo.org/show_bug.cgi?id=373673#c4)
>
> It can be easily reproduced even on non-NFS:
>
> build log # mount -t tmpfs -o context=system_u:object_r:portage_ebuild_t tmpfs /mnt
> mount: block device tmpfs is write-protected, mounting read-only
> mount: cannot mount block device tmpfs read-only
>
> build log # cat avc.log
> Sep  7 21:22:17 build kernel: [ 3814.028379] type=1400
> audit(1315423337.025:106): avc:  denied  { relabelfrom } for  pid=3736
> comm="mount" scontext=root:sysadm_r:mount_t
> tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem
> Sep  7 21:22:17 build kernel: [ 3814.036543] type=1400
> audit(1315423337.034:107): avc:  denied  { relabelfrom } for  pid=3736
> comm="mount" scontext=root:sysadm_r:mount_t
> tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem
>
> With the relabelfrom privilege the mount works as expected.

This looks like a bug.  I'd expect the relabelfrom tcontext to be tmpfs_t.  I've asked Eric Paris to look into this.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list