Bug 852763
Summary: | root can't mount any file via loop device with enforcing mls policy | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Andrey Alekseenkov <alekseenkov> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Michal Trunecka <mtruneck> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 6.1 | CC: | alekseenkov, dwalsh, ebenes, mmalik, mtruneck |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-172.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 08:28:25 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Andrey Alekseenkov
2012-08-29 14:10:46 UTC
The same situation is happening in RHEL 6.3 with selinux-policy-mls-3.7.19-155.el6 Still the same even if following commands were executed before mount ...: setsebool allow_mount_anyfile 1 setsebool allow_domain_fd_use 1 audit2allow says that the AVC is a constraint violation. It should work with mls_fd_use_all_levels(kernel_t) Yes, it works now. Thanks. Fixed. Under MLS I am unable to make filesystem in the file: # id -Z root:sysadm_r:sysadm_t:s0-s15:c0.c1023 # mkfs -t vfat /opt/fat2.img mkfs.vfat 3.0.9 (31 Jan 2010) mkfs.vfat: unable to open /opt/fat2.img selinux-policy-3.7.19-162.el6.noarch selinux-policy-mls-3.7.19-162.el6.noarch util-linux-ng-2.17.2-12.7.el6.x86_64 ---- time->Fri Oct 12 13:55:36 2012 type=PATH msg=audit(1350042936.073:105): item=0 name="/opt/fat2.img" inode=134208 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:usr_t:s0 type=CWD msg=audit(1350042936.073:105): cwd="/root" type=SYSCALL msg=audit(1350042936.073:105): arch=c000003e syscall=2 success=no exit=-13 a0=7fff05b1d7bf a1=82 a2=7f86b9cc7ed8 a3=7fff05b1b1d0 items=1 ppid=2005 pid=2023 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="mkfs.vfat" exe="/sbin/mkdosfs" subj=root:sysadm_r:fsadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1350042936.073:105): avc: denied { write } for pid=2023 comm="mkfs.vfat" name="fat2.img" dev=dm-0 ino=134208 scontext=root:sysadm_r:fsadm_t:s0-s15:c0.c1023 tcontext=root:object_r:usr_t:s0 tclass=file Well fsadm_t which mkfs.vfat runs as is not allowed to create images in random directories. I guess we can either remove the transition from sysadm_t to fsadm_t or allow or fsadm_t to write to random locations. I removed the transition. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |