CentOS - Jul 2008 - Can an ISO be specified allow mount "setsebool -P allow_mount_iso=1" insted of "setsebool -P allow_mount_anyfile=1" SE context samba share

Summary:

SELinux prevented mount from mounting on the file or directory
"./Fedora-9-Everything-i386-DVD1.iso" (type
"samba_share_t").

Detailed Description:

SELinux prevented mount from mounting a filesystem on the file or
directory
"./Fedora-9-Everything-i386-DVD1.iso" of type
"samba_share_t". By
default
SELinux limits the mounting of filesystems to only some files or
directories
(those with types that have the mountpoint attribute). The type
"samba_share_t"
does not have this attribute. You can either relabel the file or
directory or
set the boolean "allow_mount_anyfile" to true to allow mounting on any
file or
directory.

Allowing Access:

Changing the "allow_mount_anyfile" boolean to true will allow this
access:
"setsebool -P allow_mount_anyfile=1."

The following command will allow this access:

setsebool -P allow_mount_anyfile=1

Additional Information:

Source Context                system_u:system_r:mount_t
Target Context                user_u:object_r:samba_share_t
Target Objects                ./Fedora-9-Everything-i386-DVD1.iso
[ file ]
Source                        mount
Source Path                   /bin/mount
Port                          <Unknown>
Host                          server-01
Source RPM Packages           util-linux-2.13-0.47.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-137.1.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_mount_anyfile
Host Name                     server-01
Platform                      Linux server-01 2.6.18-92.1.6.el5 #1 SMP
Wed Jun
                              25 13:49:24 EDT 2008 i686 athlon
Alert Count                   3
First Seen                    Sun 13 Jul 2008 10:26:26 IST
Last Seen                     Sun 13 Jul 2008 11:07:49 IST
Local ID                      268bdb54-5d8d-4c81-b7ba-0392b5cea34e
Line Numbers                  

Raw Audit Messages            

host=server-01 type=AVC msg=audit(1215943669.186:14): avc:  denied
{ write } for  pid=2898 comm="mount"
name="Fedora-9-Everything-i386-DVD1.iso" dev=md2 ino=8585227
scontext=system_u:system_r:mount_t:s0
tcontext=user_u:object_r:samba_share_t:s0 tclass=file

host=server-01 type=SYSCALL msg=audit(1215943669.186:14): arch=40000003
syscall=5 success=no exit=-13 a0=9fd5450 a1=8002 a2=0 a3=8002 items=0
ppid=2877 pid=2898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount"
exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)

Hi,

Please try to be more specific about what you are trying to do, how
you are trying to do it, what you expected, what is going wrong, and
what you tried to do to repair it. Your previous mail looks like the
output of a tool, I don't even know which. Knowing that would help
solve your issue.
>From what I see, you are trying to mount an .iso file in a target
directory inside Samba's tree, and SELinux is denying that (with the
AVC you showed on your original message).

SELinux complains because the target directory is not marked with the
"mnt_t" type and, for security, it restricts mounting filesystems only
to directories with that type.

To change that, you could use "chcon" to set the type to the directory
where you want to mount your iso.

# chcon -t mnt_t /path/to/mountpoint
# mount -o loop,ro /path/to/iso/Fedora.iso /path/to/mountpoint

You can use ls -Z (or if it's a directory ls -dZ) to verify the
SELinux user:role:type of the file.

Please let us know how that works for you.

HTH,
Filipe