SELinux - copying ISO file content

[David P. Quigley]

On Tue, 2008-10-07 at 09:42 -0400, Jon Masters wrote:
> On Mon, 2008-10-06 at 15:17 -0500, Jerry Vonau wrote:
> > Daniel J Walsh wrote:
> > > Jon Masters wrote:
> > >> On Fri, 2008-10-03 at 09:13 -0400, Daniel J Walsh wrote:
> > >>
> > >>>> $ mount -o loop Fedora-9-i386-DVD.iso /mnt
> > >>>>
> > >>>> And then one might legitimately expect to be able to copy the content
> > >>>> of /mnt over to e.g. /somewhere/fedora/9/i386 for NFS installs. But
> > >>>> suppose that one is running SELinux in enforcing mode, then this will
> > >>>> fail because the contexts differ in this operation. Then, one will
> > >>>> likely quickly become severely annoyed and frustrated with SELinux,
> > >>>> simply setting it permissive for the duration of the operation...
> > 
> > I've seen this...
> 
> Indeed. I have too, one too many times.
> 
> > SELinux is preventing cp from creating a file with a context of 
> > iso9660_t on a
> > filesystem.
> 
> Ah yes, I probably used the standard "cp -ax blah /blah" command. I
> guess I'll need to learn not to use such standard commands in future and
> adapt everything around SELinux. Because that's very non-obtrusive, and
> won't cause regular users any anguish at all.
> 
> Jon.
> 
> 

I think the main question here is should archive try to retain the
SELinux context. From what I've heard from people here, initially the
idea was to try to preserve the context and if that failed fall back to
labeling based on the parent. That doesn't seem to be what cp is trying
to do. If we removed the retain the context part from the archive switch
of cp you would get labeling based on the parent but then you would be
required to explicitly specify preserve the context when you wanted to
archive that as well. 

It doesn't seem like anyone is actually depending on the associate
permission so it might be worth someone looking into removing it if no
one is really using it. It has its applications but I don't believe Red
Hat is using it at this time.

Dave