Fedora Users — Re: Setting SELinux context of loop-mounted ISO filesystem

Re: Setting SELinux context of loop-mounted ISO filesystem

Date Prev

Date Next

Thread Prev

Thread Next

Date Index

Thread Index

To: Stephen Smalley <sds@xxxxxxxxxxxxx>

Subject: Re: Setting SELinux context of loop-mounted ISO filesystem

From: Deron Meranda <deron.meranda@xxxxxxxxx>

Date: Mon, 4 Apr 2005 11:44:07 -0400

Cc: For users of Fedora Core releases <fedora-list@xxxxxxxxxx>, fedora-selinux-list@xxxxxxxxxx

Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=uDS4B15uV5pcpusWpuqdq1dPKPODlzFMb1bLL6XBxptu19at2uOBGdgnSuua1DJ1bbk4NqvKDWm51FIXtJpdgslAHbHZkDV2WowL5APWQKcnihaOM6La+dRlYTYwhwSk4i24sNfZf/0dFKDy08h8AfBKI37gKQMX5JtzOE2nw5A=

In-reply-to: <[email protected]>

List-archive: <https://www.redhat.com/archives/fedora-list>

List-help: <mailto:[email protected]?subject=help>

List-id: For users of Fedora Core releases <fedora-list.redhat.com>

List-post: <mailto:[email protected]>

List-subscribe: <http://www.redhat.com/mailman/listinfo/fedora-list>, <mailto:[email protected]?subject=subscribe>

List-unsubscribe: <http://www.redhat.com/mailman/listinfo/fedora-list>, <mailto:[email protected]?subject=unsubscribe>

References: <[email protected]> <[email protected]>

Reply-to: Deron Meranda <deron.meranda@xxxxxxxxx>, For users of Fedora Core releases <fedora-list@xxxxxxxxxx>

On Apr 4, 2005 11:06 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> On Mon, 2005-04-04 at 11:02 -0400, Deron Meranda wrote:
> > I'm trying to mount some ISO files using the loop device.  However
> > I can't seem to get the context= option on the mount to work.  As
> > such the mounted files have no SELinux context set.  In particular
> > I'm trying the following,
> >
> >   mount -t iso9660 \
> >      -o context=system_u:object_r:httpd_sys_content_t,loop,ro,noexec,nodev,nosuid
> >  \
> >      /path/to/file.iso  /mountpoint
> >
> > I'm running in enforcing mode with selinux-policy-targeted-1.17.30-2.93
> >
> > How can one mount an ISO image file and force all files to appear
> > to have a particular SELinux context?
> 
> What makes you think it isn't working?  ls -Z isn't going to work
> regardless, as iso9660 doesn't provide extended attribute handlers.  But
> the context= option should set the security context that is applied
> internally by SELinux to the incore inodes, so that they will be access
> controlled accordingly.  BTW, fscontext= may be more suitable here than
> context=.

Thanks Stephen.

It is working, now that I've restarted Apache and refreshed my caches. Doh!

I was, though, expecting ls -Z to show the applied label.  So the filesystem
context is being applied, but you can't see it via ls -Z?  I guess that makes
sense now that I think about it, but it was a little surprising.  I
kind of expected
the context= option to work somewhat like the uid= and gid= options as far
as it's visibility to ls.

Also I think context= is what I want, versus fscontext=, since this is
an ISO9660
filesystem that doesn't support extended attributes (xattr).  Otherwise Apache
could see the filesystem, but not the individual files inside it. 
Isn't that correct?

BTW, for the benefit of others, I finally found a few good references on this
type of filesystem-wide labeling...

http://www.redhat.com/f/pdf/whitepapers/Filesystem_Labeling_SELinux.pdf
http://mirror.centos.org/centos/4/docs/html/rhel-selg-en-4/rhlcommon-section-0019.html
http://www.linuxjournal.com/article/7426

-- 
Deron Meranda