Bug 446834 - selinux prevents mounting dirs under /var/www and /var/spool/squid at boot
selinux prevents mounting dirs under /var/www and /var/spool/squid at boot
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-16 07:46 EDT by Kostas Georgiou
Modified: 2008-05-17 07:28 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-16 14:47:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kostas Georgiou 2008-05-16 07:46:54 EDT
At boot I am getting the following avc (and a similar one for /var/spool/squid):

kernel: type=1400 audit(1210937291.191:13): avc:  denied  { mounton } for
pid=1464 comm="mount" path="/var/www/svn" dev=dm-3 ino=81988
scontext=system_u:system_r:mount_t:s0
tcontext=root:object_r:httpd_sys_content_t:s0 tclass=dir

I would expect the mount_t domain to be able to mount everything in the system,
a bug in the policy?
Comment 1 Kostas Georgiou 2008-05-16 07:51:47 EDT
Aften a discsussion in irc it seems that the allow_mount_anyfile boolean is the
solution here. Working in the assumption that it only allows mount_t to mount
everything.

If nobody adds to the bug I'll close it in a couple of days.
Comment 2 Daniel Walsh 2008-05-16 14:47:57 EDT
You can use audit2why or audit2allow -w to try to figure this out.

 grep mounton /var/log/audit/audit.log | audit2why 
kernel: type=1400 audit(1210937291.191:13): avc:  denied  { mounton } for
pid=1464 comm="mount" path="/var/www/svn" dev=dm-3 ino=81988
scontext=system_u:system_r:mount_t:s0
tcontext=root:object_r:httpd_sys_content_t:s0 tclass=dir 

	Was caused by:
	The boolean allow_mount_anyfile was set incorrectly. 
	Description:
	Allow the mount command to mount any directory or file.

	Allow access by executing:
	# setsebool -P allow_mount_anyfile 1


setroubleshoot should have told you something similar.

# setsebool -P allow_mount_anyfile 1

Will fix your problem.
Comment 3 Kostas Georgiou 2008-05-17 07:28:56 EDT
I've chosen to use a module here since I was told that allow_mount_anyfile also
gives read access for every file to mount_t, I am probably being paranoid I know.

Note that the AVC messages appear in /var/log/messages since they are generated
early in boot before auditd has started and so people might miss them.

Note You need to log in before you can comment on or make changes to this bug.