My process creates a dir /tmp/isys then mount a file system on that directory.
/tmp has tmpfs label.
I see these audit message on mount and unmount.
audit.old:audit(1381509622.789:19): avc: denied { mount } for pid=2811
comm="ctapSteps124518" name="/" dev=mmcblk0p13 ino=65
scontext=u:r:cisco_super:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem
audit.old:audit(1381509622.804:20): avc: denied { unmount } for pid=2811
comm="ctapSteps124518" scontext=u:r:cisco_super:s0
tcontext=u:object_r:labeledfs:s0 tclass=filesystem
The block filesystem mmcblk0p13 is a labeled squashfs file system. Is that the
reason it has label labeledfs?
My process also mount different (unlabeled) filesystem and there is no audit
message in those cases. So, I'm not sure why it doesn't have permission to
mount mmcblk0p13. Is labeledfs filesystem treated differently than unlabeled
one?
Also, I wonder what is the normal way to test selinux policy. I was thinking
that having some transition rules to transition shell to some test domain so
that we can test the policy for that test domain. For example, if I want to
test if the device has the right policy to domain d then I can transition from
shell to d then test if d can access to files that it should not be able to, or
do operation that it should not be able to. Does it make sense?
Thanks,
Tai
