Hello,
I'm running RHEL 5 with SELinux in enforcing mode. I like the new "setroubleshootd" with the Gnome applet, but I have a question about automounter and SELinux. I've gotten tens of alerts saying the following:"SELinux is preventing /bin/mount (mount_t) "read write" to socket:[854495] (automount_t)" I also get similar alerts to /bin/umount. I'm running the default policy from Red Hat. Why would the default policy complain so much about mount/umount interacting with automount? Should I use audit2allow to set up a Type Enforcement file to allow this? /Brian/-- Brian Long | | . | | | . | | | . ' ' C I S C O _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
I believe this avc can be ignored. automount is leaking a open file descriptor which the kernel is closing before starting the mount command. The kernel checks its policy to see if mount can read/write the socket owned by automount and then closes it. Automount should have Closed the file descriptor on exec. I believe this bug is fixed in the latest code, but has not been back ported to RHEL5 yet.
--- Begin Message ---Hello, I'm running RHEL 5 with SELinux in enforcing mode. I like the new "setroubleshootd" with the Gnome applet, but I have a question about automounter and SELinux. I've gotten tens of alerts saying the following: "SELinux is preventing /bin/mount (mount_t) "read write" to socket:[854495] (automount_t)" I also get similar alerts to /bin/umount. I'm running the default policy from Red Hat. Why would the default policy complain so much about mount/umount interacting with automount? Should I use audit2allow to set up a Type Enforcement file to allow this? /Brian/ -- Brian Long | | . | | | . | | | . ' ' C I S C O _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
--- End Message ---
signature.asc
Description: PGP signature
_______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
