From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 7 Sep 2011 21:23:22 +0200
Subject: [refpolicy] [PATCH 1/1] Allow mount to work on all file
	locations
In-Reply-To: <4E666844.2040501@tresys.com>
References: <20110904122113.GA11786@siphos.be>
 <4E666844.2040501@tresys.com>
Message-ID: <20110907192321.GA11855@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Sep 06, 2011 at 02:36:52PM -0400, Christopher J. PeBenito wrote:
> On 09/04/11 08:21, Sven Vermeulen wrote:
> > In order for mount to work with all file locations, it needs
> > relabelfrom privileges as well (next to the relabelto ones).
> > 
> > The same patch is also already present in fedora's repository.
> 
> I don't understand this, can you explain further?  This rule is for
> context mounts, in which it would be relabeling from any filesystem
> type to a file type.  When would it relabel from a file type?

It is indeed with a context mount that we encountered the issue (see
https://bugs.gentoo.org/show_bug.cgi?id=373673#c4)

It can be easily reproduced even on non-NFS:

build log # mount -t tmpfs -o context=system_u:object_r:portage_ebuild_t tmpfs /mnt
mount: block device tmpfs is write-protected, mounting read-only
mount: cannot mount block device tmpfs read-only

build log # cat avc.log 
Sep  7 21:22:17 build kernel: [ 3814.028379] type=1400
audit(1315423337.025:106): avc:  denied  { relabelfrom } for  pid=3736
comm="mount" scontext=root:sysadm_r:mount_t
tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem
Sep  7 21:22:17 build kernel: [ 3814.036543] type=1400
audit(1315423337.034:107): avc:  denied  { relabelfrom } for  pid=3736
comm="mount" scontext=root:sysadm_r:mount_t
tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem

With the relabelfrom privilege the mount works as expected.

Wkr,
	Sven Vermeulen