Setting SELinux context of loop-mounted ISO filesystem
Deron Meranda
deron.meranda at gmail.com
Mon Apr 4 15:44:07 UTC 2005
On Apr 4, 2005 11:06 AM, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On Mon, 2005-04-04 at 11:02 -0400, Deron Meranda wrote:
> > I'm trying to mount some ISO files using the loop device. However
> > I can't seem to get the context= option on the mount to work. As
> > such the mounted files have no SELinux context set. In particular
> > I'm trying the following,
> >
> > mount -t iso9660 \
> > -o context=system_u:object_r:httpd_sys_content_t,loop,ro,noexec,nodev,nosuid
> > \
> > /path/to/file.iso /mountpoint
> >
> > I'm running in enforcing mode with selinux-policy-targeted-1.17.30-2.93
> >
> > How can one mount an ISO image file and force all files to appear
> > to have a particular SELinux context?
>
> What makes you think it isn't working? ls -Z isn't going to work
> regardless, as iso9660 doesn't provide extended attribute handlers. But
> the context= option should set the security context that is applied
> internally by SELinux to the incore inodes, so that they will be access
> controlled accordingly. BTW, fscontext= may be more suitable here than
> context=.
Thanks Stephen.
It is working, now that I've restarted Apache and refreshed my caches. Doh!
I was, though, expecting ls -Z to show the applied label. So the filesystem
context is being applied, but you can't see it via ls -Z? I guess that makes
sense now that I think about it, but it was a little surprising. I
kind of expected
the context= option to work somewhat like the uid= and gid= options as far
as it's visibility to ls.
Also I think context= is what I want, versus fscontext=, since this is
an ISO9660
filesystem that doesn't support extended attributes (xattr). Otherwise Apache
could see the filesystem, but not the individual files inside it.
Isn't that correct?
BTW, for the benefit of others, I finally found a few good references on this
type of filesystem-wide labeling...
http://www.redhat.com/f/pdf/whitepapers/Filesystem_Labeling_SELinux.pdf
http://mirror.centos.org/centos/4/docs/html/rhel-selg-en-4/rhlcommon-section-0019.html
http://www.linuxjournal.com/article/7426
--
Deron Meranda
More information about the fedora-list
mailing list