Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 118975

Summary: staff_t can loopback mount but sysadm_t can't
Product: [Fedora] Fedora Reporter: Tim Waugh <twaugh>
Component: policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: barryn, gczarcinski, mikem, pgraner, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-04-19 17:57:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 114961    

Description Tim Waugh 2004-03-23 15:15:18 UTC 
Description of problem:
Trying this sort of thing:

mount -oloop,ro boot.iso /mnt/cdrom

works as staff_t but not as sysadm_t.  Is that intentional?

Version-Release number of selected component (if applicable):
1.9-11
Comment 1 Daniel Walsh 2004-03-24 21:42:10 UTC 
The problem is the staff is not transitioning and sysadm, is.  So in
the case of sysadm you are running under mount_t context (Which is
correct?)  In the case of staff you are running under staff_t context.
 In this version of selinux staff_t is all powerfull, in the future it
will not be.  So this is a bug in that mount is not able to read the
file it is trying to mount.

Problem is with mount -o bind and mount -oloop almost any
file/directory can be a source or destination of mounting.
Comment 2 Mike McLean 2004-03-25 23:22:55 UTC 
So what is the correct way to perform a loopback mount with selinux?
Comment 3 Colin Walters 2004-04-19 17:57:16 UTC 
staff_t transitions now into a mount domain too, so this bug is fixed
as far as I can see.

Mike:  I just added a new type, sysadm_mount_source_t that you can use
for loopback devices.  So the correct way is now:

chcon -t sysadm_mount_source_t foo.iso
mount -o loop foo.iso /mnt/cdrom

This will be in the next policy upload.
Comment 4 Mike McLean 2004-04-19 18:30:27 UTC 
What about loopback mounting an iso that is on an RO-mounted NFS
filesystem?