On Tue, 2006-03-28 at 12:51 -0600, Ian Pilcher wrote:
A little background -- I have my music collection stored on 5
reiserfs
filesystems, on top of five separate software RAID devices (md4-md8). I
use httpd to make them available on my *home* network (and if the RIAA
has a problem with that they can kiss my lilly-white...sorry). I
generally mount them as /var/www/html/music/music{0,1,2,3,4}.
Today I rebooted my system (Fedora Core 5, fully updated) and got some
bizarre warnings about being unable to mount a block device read-only.
Sure enough...
audit(1143570731.388:11): avc: denied { mounton } for pid=1703
comm="mount" name="music0" dev=md1 ino=131232
scontext=system_u:system_r:mount_t:s0
tcontext=root:object_r:httpd_sys_content_t:s0 tclass=dir
Hmm, looks like a special context is now needed for mount points. I can
see why that might be a good idea, so...
chcon system_u:system_r:mount_t /var/www/html/music/*
chcon: failed to change context of /var/www/html/music/music0 to
system_u:system_r:mount_t: Permission denied
type=AVC msg=audit(1143571740.714:59): avc: denied { relabelto } for
pid=3036 comm="chcon" name="music0" dev=md1 ino=131232
scontext=user_u:system_r:unconfined_t:s0-s0:c0.c255
tcontext=system_u:system_r:mount_t:s0 tclass=dir
This is either a learning opportunity for me, or a serious problem. I
can't wait to find out which.
mount_t is a domain - a type for a process running the mount program.
Not a file type to assign to mount point directories. Not sure what
type to recommend for what you describe - Dan? Likely need a generic
mnt_t or similar with the mountpoint attribute?
--
Stephen Smalley
National Security Agency