Setting SELinux context of loop-mounted ISO filesystem
Stephen Smalley
sds at tycho.nsa.gov
Mon Apr 4 15:06:30 UTC 2005
On Mon, 2005-04-04 at 11:02 -0400, Deron Meranda wrote:
> I'm trying to mount some ISO files using the loop device. However
> I can't seem to get the context= option on the mount to work. As
> such the mounted files have no SELinux context set. In particular
> I'm trying the following,
>
> mount -t iso9660 \
> -o context=system_u:object_r:httpd_sys_content_t,loop,ro,noexec,nodev,nosuid
> \
> /path/to/file.iso /mountpoint
>
> I'm running in enforcing mode with selinux-policy-targeted-1.17.30-2.93
>
> How can one mount an ISO image file and force all files to appear
> to have a particular SELinux context?
What makes you think it isn't working? ls -Z isn't going to work
regardless, as iso9660 doesn't provide extended attribute handlers. But
the context= option should set the security context that is applied
internally by SELinux to the incore inodes, so that they will be access
controlled accordingly. BTW, fscontext= may be more suitable here than
context=.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the fedora-list
mailing list