SELinux - copying ISO file content

Daniel J Walsh dwalsh at redhat.com
Wed Oct 8 14:43:08 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David P. Quigley wrote:
> On Tue, 2008-10-07 at 09:42 -0400, Jon Masters wrote:
>> On Mon, 2008-10-06 at 15:17 -0500, Jerry Vonau wrote:
>>> Daniel J Walsh wrote:
>>>> Jon Masters wrote:
>>>>> On Fri, 2008-10-03 at 09:13 -0400, Daniel J Walsh wrote:
>>>>>
>>>>>>> $ mount -o loop Fedora-9-i386-DVD.iso /mnt
>>>>>>>
>>>>>>> And then one might legitimately expect to be able to copy the content
>>>>>>> of /mnt over to e.g. /somewhere/fedora/9/i386 for NFS installs. But
>>>>>>> suppose that one is running SELinux in enforcing mode, then this will
>>>>>>> fail because the contexts differ in this operation. Then, one will
>>>>>>> likely quickly become severely annoyed and frustrated with SELinux,
>>>>>>> simply setting it permissive for the duration of the operation...
>>> I've seen this...
>> Indeed. I have too, one too many times.
>>
>>> SELinux is preventing cp from creating a file with a context of 
>>> iso9660_t on a
>>> filesystem.
>> Ah yes, I probably used the standard "cp -ax blah /blah" command. I
>> guess I'll need to learn not to use such standard commands in future and
>> adapt everything around SELinux. Because that's very non-obtrusive, and
>> won't cause regular users any anguish at all.
>>
>> Jon.
>>
>>
> 
> I think the main question here is should archive try to retain the
> SELinux context. From what I've heard from people here, initially the
> idea was to try to preserve the context and if that failed fall back to
> labeling based on the parent. That doesn't seem to be what cp is trying
> to do. If we removed the retain the context part from the archive switch
> of cp you would get labeling based on the parent but then you would be
> required to explicitly specify preserve the context when you wanted to
> archive that as well. 
> 
> It doesn't seem like anyone is actually depending on the associate
> permission so it might be worth someone looking into removing it if no
> one is really using it. It has its applications but I don't believe Red
> Hat is using it at this time.
> 
> Dave
> 

That is fine with me but I would like to get the opinion of upstream
coreutils.

Jim what do you think?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjsxvwACgkQrlYvE4MpobN3ugCeKH/NjySwoZBcLgGpek+ZDLDq
Zj8An1Qg6H/gH+IjmDNEdy6emhzjpWkO
=WQA3
-----END PGP SIGNATURE-----

More information about the fedora-devel-list mailing list