Bug 121137 - can't mount filesystems within other non-root filesystems
can't mount filesystems within other non-root filesystems
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-17 17:03 EDT by Alexandre Oliva
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-10 12:41:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alexandre Oliva 2004-04-17 17:03:51 EDT
Description of problem:
I have a filesystem on a logical volume mounted in /l, and another
logical volume I want to mount in /l/mm.  Although mount points and
the devices are labeled identically, in enforcing mode the first mount
is allowed, but the second is denied.

Here are the details:

# grep /l /etc/fstab
/dev/all/l              /l                      ext3    noatime      
  1 2
/dev/all/mm             /l/mm                   ext3    noatime      
  1 2

# ls -lZd /l
drwxr-xr-x+ root     root     system_u:object_r:file_t         /l
# ls -lZd /dev/all/l
lrwxrwxrwx+ root     root     system_u:object_r:device_t      
/dev/all/l -> /dev/mapper/all-l
# ls -lZd /dev/mapper/all-l
brw-------+ root     root     system_u:object_r:fixed_disk_device_t
/dev/mapper/all-l
# mount /l
# ls -lZd /l
drwxr-xr-x+ root     root     system_u:object_r:nfs_t          /l
# ls -lZd /l/mm
drwxr-xr-x+ root     root     system_u:object_r:file_t         /l/mm
# ls -lZd /dev/all/mm
lrwxrwxrwx+ root     root     system_u:object_r:device_t      
/dev/all/mm -> /dev/mapper/all-mm
# ls -lZd /dev/mapper/all-mm
brw-------+ root     root     system_u:object_r:fixed_disk_device_t
/dev/mapper/all-mm
# mount /l/mm
mount: block device /dev/all/mm is write-protected, mounting read-only
mount: cannot mount block device /dev/all/mm read-only
# setfilecon system_u:object_r:mnt_t /l
# mount /l/mm

Now, why is it that it refuses to let me mount (or umount!) something
just because a containing directory is nfs_t?
avc:  denied  { search } for  pid=3168 exe=/bin/mount dev=dm-1 ino=2
scontext=root:sysadm_r:mount_t tcontext=system_u:object_r:nfs_t tclass=dir

avc:  denied  { search } for  pid=3307 exe=/bin/umount dev=dm-0 ino=2
scontext=root:sysadm_r:mount_t tcontext=system_u:object_r:nfs_t tclass=dir

Shouldn't this be permitted?  Otherwise, automounting nested
directories just can't possibly work.

Version-Release number of selected component (if applicable):
policy-1.11.2-9
Comment 1 Daniel Walsh 2004-04-19 21:08:12 EDT
Fixed in policy 1.11.2-11
Comment 2 Alexandre Oliva 2004-05-10 12:41:37 EDT
Confirmed, thanks.  Sorry that it took so long.

Note You need to log in before you can comment on or make changes to this bug.