Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 118975 - staff_t can loopback mount but sysadm_t can't
Summary: staff_t can loopback mount but sysadm_t can't
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: policy
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: FC2Blocker
TreeView+ depends on / blocked
 
Reported: 2004-03-23 15:15 UTC by Tim Waugh
Modified: 2007-11-30 22:10 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-04-19 17:57:16 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Tim Waugh 2004-03-23 15:15:18 UTC 
Description of problem:
Trying this sort of thing:

mount -oloop,ro boot.iso /mnt/cdrom

works as staff_t but not as sysadm_t.  Is that intentional?

Version-Release number of selected component (if applicable):
1.9-11
Comment 1 Daniel Walsh 2004-03-24 21:42:10 UTC 
The problem is the staff is not transitioning and sysadm, is.  So in
the case of sysadm you are running under mount_t context (Which is
correct?)  In the case of staff you are running under staff_t context.
 In this version of selinux staff_t is all powerfull, in the future it
will not be.  So this is a bug in that mount is not able to read the
file it is trying to mount.

Problem is with mount -o bind and mount -oloop almost any
file/directory can be a source or destination of mounting.
Comment 2 Mike McLean 2004-03-25 23:22:55 UTC 
So what is the correct way to perform a loopback mount with selinux?
Comment 3 Colin Walters 2004-04-19 17:57:16 UTC 
staff_t transitions now into a mount domain too, so this bug is fixed
as far as I can see.

Mike:  I just added a new type, sysadm_mount_source_t that you can use
for loopback devices.  So the correct way is now:

chcon -t sysadm_mount_source_t foo.iso
mount -o loop foo.iso /mnt/cdrom

This will be in the next policy upload.
Comment 4 Mike McLean 2004-04-19 18:30:27 UTC 
What about loopback mounting an iso that is on an RO-mounted NFS
filesystem?
Note You need to log in before you can comment on or make changes to this bug.