From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 08 Sep 2011 13:12:28 -0400 Subject: [refpolicy] [PATCH 1/1] Allow mount to work on all file locations In-Reply-To: <20110907192321.GA11855@siphos.be> References: <20110904122113.GA11786@siphos.be> <4E666844.2040501@tresys.com> <20110907192321.GA11855@siphos.be> Message-ID: <4E68F77C.4030109@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 9/7/2011 3:23 PM, Sven Vermeulen wrote: > On Tue, Sep 06, 2011 at 02:36:52PM -0400, Christopher J. PeBenito wrote: >> On 09/04/11 08:21, Sven Vermeulen wrote: >>> In order for mount to work with all file locations, it needs >>> relabelfrom privileges as well (next to the relabelto ones). >>> >>> The same patch is also already present in fedora's repository. >> >> I don't understand this, can you explain further? This rule is for >> context mounts, in which it would be relabeling from any filesystem >> type to a file type. When would it relabel from a file type? > > It is indeed with a context mount that we encountered the issue (see > https://bugs.gentoo.org/show_bug.cgi?id=373673#c4) > > It can be easily reproduced even on non-NFS: > > build log # mount -t tmpfs -o context=system_u:object_r:portage_ebuild_t tmpfs /mnt > mount: block device tmpfs is write-protected, mounting read-only > mount: cannot mount block device tmpfs read-only > > build log # cat avc.log > Sep 7 21:22:17 build kernel: [ 3814.028379] type=1400 > audit(1315423337.025:106): avc: denied { relabelfrom } for pid=3736 > comm="mount" scontext=root:sysadm_r:mount_t > tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem > Sep 7 21:22:17 build kernel: [ 3814.036543] type=1400 > audit(1315423337.034:107): avc: denied { relabelfrom } for pid=3736 > comm="mount" scontext=root:sysadm_r:mount_t > tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem > > With the relabelfrom privilege the mount works as expected. This looks like a bug. I'd expect the relabelfrom tcontext to be tmpfs_t. I've asked Eric Paris to look into this. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com