Hi.

I am facing the selinux problme on Fedora 5 Test 2.
I have two data partition that is formatted vfat and ext3. it is configued in /etc/fstab

/dev/hda6 /home/vfat vfat defaults,iocharset=utf8,uid=500 0 0
/dev/hda7 /home/ext3 ext3 defaults 0 0


but at boot time it didn't mount. I fount a clue in /var/log/messages

Jan 21 09:16:48 pretty kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Jan 21 09:16:48 pretty kernel: audit(1137852973.656:4): avc: denied { mounton } for pid=1321 comm="mount" name="vfat" dev=hda3 ino=717492 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
Jan 21 09:16:48 pretty kernel: audit(1137852973.656:5): avc: denied { mounton } for pid=1321 comm="mount" name="vfat" dev=hda3 ino=717492 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
Jan 21 09:16:48 pretty kernel: audit(1137852973.660:6): avc: denied { mounton } for pid=1321 comm="mount" name="ext3" dev=hda3 ino=717868 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
Jan 21 09:16:48 pretty kernel: audit(1137852973.660:7): avc: denied { mounton } for pid=1321 comm="mount" name="ext3" dev=hda3 ino=717868 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir

hda3 is a root patition of FC5T2.

but the marvel is that two data partitions could mounted in manually after boot was finished
# mount /dev/hda6
# mount /dev/hda7

How could I mount at boot time?

What kind of policy SELinux uses on your system?

Hi.

I am facing the selinux problme on Fedora 5 Test 2.
I have two data partition that is formatted vfat and ext3. it is configued in /etc/fstab

/dev/hda6 /home/vfat vfat defaults,iocharset=utf8,uid=500 0 0
/dev/hda7 /home/ext3 ext3 defaults 0 0


but at boot time it didn't mount. I fount a clue in /var/log/messages

Jan 21 09:16:48 pretty kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Jan 21 09:16:48 pretty kernel: audit(1137852973.656:4): avc: denied { mounton } for pid=1321 comm="mount" name="vfat" dev=hda3 ino=717492 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
Jan 21 09:16:48 pretty kernel: audit(1137852973.656:5): avc: denied { mounton } for pid=1321 comm="mount" name="vfat" dev=hda3 ino=717492 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
Jan 21 09:16:48 pretty kernel: audit(1137852973.660:6): avc: denied { mounton } for pid=1321 comm="mount" name="ext3" dev=hda3 ino=717868 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
Jan 21 09:16:48 pretty kernel: audit(1137852973.660:7): avc: denied { mounton } for pid=1321 comm="mount" name="ext3" dev=hda3 ino=717868 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir

hda3 is a root patition of FC5T2.

but the marvel is that two data partitions could mounted in manually after boot was finished
# mount /dev/hda6
# mount /dev/hda7

How could I mount at boot time?


You need to set up the sub dir's in the home and chown and chmod them the first time (for linux ext3.

for vfat you need to mount it somewhere else like /media/myvfat (because SELinux is not going to allow it to be part of /home.

so
/dev/hda3 /boot ext3
/dev/hda5 / ext3 (assuming this contains /home)

after boot

cd /home/username
mkdir /home/username/extraext3
mount /dev/hda5 /home/username/extraext3
chown -R username:username /home/username/extraext3
chmod -R 0755 /home/username/extraext3


mkdir /media/myvfat
mount /dev/haa5 /media/myvfat vfat defaults,iocharset=utf8,uid=500 0 0
(i don't think this "defaults,iocharset=utf8,uid=500 0 0" is correct for vfat)


Next
mount
(gives a list of mount information)
put that as needed in to fstab for next boot

SJ

My solution: Simply disable it completely. I hate SELinux 'cause I find it to be too restricive, in many cases.... like yours.
Firewing1

My solution: Simply disable it completely. I hate SELinux 'cause I find it to be too restricive, in many cases.... like yours.
Firewing1


It's supposed to be restrictive. It's a security system. dahhhh!

SJ

lol... I find it a little too restricive, though... I hate having specifically to tell it what its allowed to do and everything else is illegal -- it's too long to manually change perms on each file. IMHO, there should be a policy for allow anything and block only what I tell it to -- innocent until proven guilty sort of thing.
Firewing1

Firewings,
You can temporaly disable SELinux, edit the mount drive in question then set SELinux Policy to MLS permissive. SELinux will automatically relabel itself to ajust to the new change.
Currently, SELinux Enforcing MLS Policy cause trouble on my system making it completely unbootable. I am not surprised that SELinux team are well aware on that issue. Remember we are testing FC5T2 to report more bugs as possible.

Firewings,
You can temporaly disable SELinux, edit the mount drive in question then set SELinux Policy to MLS permissive. SELinux will automatically relabel itself to ajust to the new change.
Currently, SELinux Enforcing MLS Policy cause trouble on my system making it completely unbootable. I am not surprised that SELinux team are well aware on that issue. Remember we are testing FC5T2 to report more bugs as possible.
Thanks (bookmarking)... I like the idea of SELinux, I know it really secures my box, but I hated it's perms.... On my FC5 install I'll try it out. Thanks!
btw, (dont wanna hijack the thread, but while we're on security....) is it safe to open port 22 on my box 'cause I want my SSH server accessible outside my LAN
Firewing1

Hi.

I am facing the selinux problme on Fedora 5 Test 2.
I have two data partition that is formatted vfat and ext3. it is configued in /etc/fstab

/dev/hda6 /home/vfat vfat defaults,iocharset=utf8,uid=500 0 0
/dev/hda7 /home/ext3 ext3 defaults 0 0


but at boot time it didn't mount. I fount a clue in /var/log/messages

Jan 21 09:16:48 pretty kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Jan 21 09:16:48 pretty kernel: audit(1137852973.656:4): avc: denied { mounton } for pid=1321 comm="mount" name="vfat" dev=hda3 ino=717492 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
Jan 21 09:16:48 pretty kernel: audit(1137852973.656:5): avc: denied { mounton } for pid=1321 comm="mount" name="vfat" dev=hda3 ino=717492 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
Jan 21 09:16:48 pretty kernel: audit(1137852973.660:6): avc: denied { mounton } for pid=1321 comm="mount" name="ext3" dev=hda3 ino=717868 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
Jan 21 09:16:48 pretty kernel: audit(1137852973.660:7): avc: denied { mounton } for pid=1321 comm="mount" name="ext3" dev=hda3 ino=717868 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir

hda3 is a root patition of FC5T2.

but the marvel is that two data partitions could mounted in manually after boot was finished
# mount /dev/hda6
# mount /dev/hda7

How could I mount at boot time?

try the fedora-selinux list or fedora-test list

http://fedoraproject.org/wiki/Communicate