Bug 216920 - Denials with mock
Denials with mock
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
6
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-22 12:57 EST by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-11 17:05:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2006-11-22 12:57:30 EST
Description of problem:

Dan - really just reporting this out of completeness' sake.  mock and similar
chroot environs I'm sure are a pain.

Nov 22 10:19:23 hammer kernel: audit(1164215963.534:131): avc:  denied  { read
write } for  pid=20566 comm="mount" name="root.log" dev=dm-2 ino=25925346
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_lib_t:s0
tclass=file
Nov 22 10:28:50 hammer kernel: audit(1164216530.202:132): avc:  denied  { read
write } for  pid=2280 comm="umount" name="root.log" dev=dm-2 ino=25925346
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_lib_t:s0
tclass=file

root.log is in /var/lib/mock/fedora-<rel>-<arch>-core/result/root.log

Version-Release number of selected component (if applicable):
selinux-policy-2.4.3-2.fc6

I've just created a local policy to handle it.
Comment 1 Daniel Walsh 2006-11-27 14:12:24 EST
setsebool -P allow_mount_allfile=1
setsebool -P allow_mount_alldir=1

Should allow this behaviour.
Comment 2 Orion Poplawski 2006-11-30 17:56:44 EST
Tried:

setsebool allow_mount_anyfile=1
setsebool allow_mounton_anydir=1

but not effect.  

This isn't mount trying to mount a file on a directory, this is the output of
mount going to a log file. 
Comment 3 Daniel Walsh 2006-12-01 11:25:02 EST
What avc's are you seeing?
Comment 4 Orion Poplawski 2006-12-01 11:30:01 EST
(In reply to comment #3)
> What avc's are you seeing?

Still the same as the initial report.
Comment 5 Daniel Walsh 2006-12-01 13:19:24 EST
try

mount | cat >  root.log
Comment 6 Orion Poplawski 2006-12-22 11:51:11 EST
Doesn't generate an avc when run from the command line.  I'm at a loss.
Comment 7 Daniel Walsh 2007-01-11 17:05:34 EST
Mount only transitions from init scripts not when run from unconfined_t.  So
that is why you are seeing this.  This either needs to be handled by local
policy or via that cat trick above.

Note You need to log in before you can comment on or make changes to this bug.