Description of problem: Root (or any other user) can't mount any file via loop device with enforcing mls policy enabled Version-Release number of selected component (if applicable): selinux-policy-mls-3.7.19-93.el6 How reproducible: always Steps to Reproduce: 1. create image file # dd if=/dev/zero of=/opt/fat.img bs=1024 count=1024 2. make filesystem # mkfs -t vfat /opt/fat.img 3. set selinux boolean to allow mounting any file # setsebool allow_mount_anyfile 1 4. change selinux to enforcing mode # setenforce 1 5. try to mount filesystem # mount -t vfat -o loop /opt/fat.img /mnt Actual results: mount: /dev/loop0: unable to read superblock Expected results: successful mount to /mnt directory Additional info: 1. audit2allow produces constaraint rule: require { type kernel_t; type mount_t; class fd use; } #============= kernel_t ============== # src="kernel_t" tgt="mount_t" class="fd", perms="use" # comm="loop0" exe="" path=""#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow kernel_t mount_t:fd use; 2. audit.log shows avc message: type=AVC msg=audit(1346248387.953:27019): avc: denied { use } for pid=2431 comm="loop0" path="/opt/fat.img" dev=dm-0 ino=19584 scontext=system_u:system_r:kernel_t:s15:c0.c1023 tcontext=root:sysadm_r:mount_t:s0-s15:c0.c1023 tclass=fd
The same situation is happening in RHEL 6.3 with selinux-policy-mls-3.7.19-155.el6
Still the same even if following commands were executed before mount ...: setsebool allow_mount_anyfile 1 setsebool allow_domain_fd_use 1 audit2allow says that the AVC is a constraint violation.
It should work with mls_fd_use_all_levels(kernel_t)
Yes, it works now. Thanks.
Fixed.
Under MLS I am unable to make filesystem in the file: # id -Z root:sysadm_r:sysadm_t:s0-s15:c0.c1023 # mkfs -t vfat /opt/fat2.img mkfs.vfat 3.0.9 (31 Jan 2010) mkfs.vfat: unable to open /opt/fat2.img selinux-policy-3.7.19-162.el6.noarch selinux-policy-mls-3.7.19-162.el6.noarch util-linux-ng-2.17.2-12.7.el6.x86_64 ---- time->Fri Oct 12 13:55:36 2012 type=PATH msg=audit(1350042936.073:105): item=0 name="/opt/fat2.img" inode=134208 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:usr_t:s0 type=CWD msg=audit(1350042936.073:105): cwd="/root" type=SYSCALL msg=audit(1350042936.073:105): arch=c000003e syscall=2 success=no exit=-13 a0=7fff05b1d7bf a1=82 a2=7f86b9cc7ed8 a3=7fff05b1b1d0 items=1 ppid=2005 pid=2023 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="mkfs.vfat" exe="/sbin/mkdosfs" subj=root:sysadm_r:fsadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1350042936.073:105): avc: denied { write } for pid=2023 comm="mkfs.vfat" name="fat2.img" dev=dm-0 ino=134208 scontext=root:sysadm_r:fsadm_t:s0-s15:c0.c1023 tcontext=root:object_r:usr_t:s0 tclass=file
Well fsadm_t which mkfs.vfat runs as is not allowed to create images in random directories. I guess we can either remove the transition from sysadm_t to fsadm_t or allow or fsadm_t to write to random locations.
I removed the transition.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html