Here is your problem right here: SELinux Have a good, slow read of this: http://kerneltrap.org/OpenBSD/SELinux_vs_OpenBSDs_Default_Security If you still want to use SELinux, well, there's not much I can do to help you. Cheers, - Paul -----Original Message----- From: fedora-list-bounces@xxxxxxxxxx [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of David Sent: Tuesday, May 05, 2009 8:57 AM To: Community assistance, encouragement,and advice for using Fedora. Cc: dwalsh@xxxxxxxxxx Subject: Re: Selinux disallows read-only loop mount of a file, but only at boot [SOLVED] I'm attempting to mount a loop device (a ro file) at boot using fstab. My fstab entry works fine from the command line, but it fails at boot time due to a selinux avc error. I assume this is due to incorrect file context. The file is under a nonstandard top level directory, so I need to specifically assign it the correct file context, which I would do if I could figure out what it ought to be. Where do I look on the system to discover what is the correct file context required by mount at boot time? The file and context are: $ ls -lZ /HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso -r--r----- root share unconfined_u:object_r:default_t:s0 /HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso The fstab line is: /HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso /mnt/Fedora-09-i386-DVD iso9660 loop,ro,gid=share 0 0 The command line that works is: # mount /mnt/Fedora-09-i386-DVD The boot-time error messages are: Mounting local filesystems: /HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso: Permission denied [FAILED] Mounting other filesystems: /HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso: Permission denied [FAILED] The dmesg error is: type=1400 audit(1241535886.437:4): avc: denied { read } for pid=1335 comm="mount" name="Fedora-09-i386-DVD.iso" dev=sdb2 ino=1922 scontext=system_u:system_r:mount_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file My selinux policy is: # rpm -qa 'selinux-policy-targeted*' selinux-policy-targeted-3.3.1-132.fc9.noarch My selinux status is: # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 22 Policy from config file: targeted My os is: # uname -r 2.6.25-14.fc9.i686 I have the following boolean unset because I wish to utilise selinux file context to restrict which files can be mounted: # getsebool allow_mount_anyfile allow_mount_anyfile --> off Interestingly, I did discover that the following command allows subsequent boot-time mounts to succeed: # chcon -t mount_exec_t /HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso But I am unsure whether this is the correct solution. Where do I look on the system to discover what is the correct file context required by mount at boot time? -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
