From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 26 Dec 2011 12:05:13 +0100 Subject: [refpolicy] [PATCH 1/1] Allow mount to work on all file locations In-Reply-To: <4E68F77C.4030109@tresys.com> References: <20110904122113.GA11786@siphos.be> <4E666844.2040501@tresys.com> <20110907192321.GA11855@siphos.be> <4E68F77C.4030109@tresys.com> Message-ID: <20111226110513.GA29779@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Sep 08, 2011 at 01:12:28PM -0400, Christopher J. PeBenito wrote: > > It is indeed with a context mount that we encountered the issue (see > > https://bugs.gentoo.org/show_bug.cgi?id=373673#c4) > > > > It can be easily reproduced even on non-NFS: > > > > build log # mount -t tmpfs -o context=system_u:object_r:portage_ebuild_t tmpfs /mnt > > mount: block device tmpfs is write-protected, mounting read-only > > mount: cannot mount block device tmpfs read-only > > > > build log # cat avc.log > > Sep 7 21:22:17 build kernel: [ 3814.028379] type=1400 > > audit(1315423337.025:106): avc: denied { relabelfrom } for pid=3736 > > comm="mount" scontext=root:sysadm_r:mount_t > > tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem > > Sep 7 21:22:17 build kernel: [ 3814.036543] type=1400 > > audit(1315423337.034:107): avc: denied { relabelfrom } for pid=3736 > > comm="mount" scontext=root:sysadm_r:mount_t > > tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem > > > > With the relabelfrom privilege the mount works as expected. > > This looks like a bug. I'd expect the relabelfrom tcontext to be tmpfs_t. I've asked Eric Paris to look into this. Any feedback on this? Wkr, Sven Vermeulen