Setting SELinux context of loop-mounted ISO filesystem
Stephen Smalley
sds at tycho.nsa.gov
Mon Apr 4 15:48:09 UTC 2005
On Mon, 2005-04-04 at 11:44 -0400, Deron Meranda wrote:
> I was, though, expecting ls -Z to show the applied label. So the filesystem
> context is being applied, but you can't see it via ls -Z? I guess that makes
> sense now that I think about it, but it was a little surprising. I
> kind of expected
> the context= option to work somewhat like the uid= and gid= options as far
> as it's visibility to ls.
Unfortunately, no. ls -Z ultimately calls getxattr on the inode, and
unless the filesystem implementation provides a getxattr method, you
can't get that information. There has been discussion of putting a
transparent redirect in the VFS so that if the filesystem implementation
doesn't provide getxattr/setxattr on the security namespace, the VFS
will automatically redirect the request to the security module (i.e.
SELinux) and let it handle it based on the incore inode security
context.
> Also I think context= is what I want, versus fscontext=, since this is
> an ISO9660
> filesystem that doesn't support extended attributes (xattr). Otherwise Apache
> could see the filesystem, but not the individual files inside it.
> Isn't that correct?
I think for iso9660 they are effectively equivalent. It would make a
difference for filesystems that have native xattr support.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the fedora-selinux-list
mailing list