[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Setting SELinux context of loop-mounted ISO filesystem



On Mon, 2005-04-04 at 11:02 -0400, Deron Meranda wrote:
> I'm trying to mount some ISO files using the loop device.  However
> I can't seem to get the context= option on the mount to work.  As
> such the mounted files have no SELinux context set.  In particular
> I'm trying the following,
> 
>   mount -t iso9660 \
>      -o context=system_u:object_r:httpd_sys_content_t,loop,ro,noexec,nodev,nosuid
>  \
>      /path/to/file.iso  /mountpoint
> 
> I'm running in enforcing mode with selinux-policy-targeted-1.17.30-2.93
> 
> How can one mount an ISO image file and force all files to appear
> to have a particular SELinux context?

What makes you think it isn't working?  ls -Z isn't going to work
regardless, as iso9660 doesn't provide extended attribute handlers.  But
the context= option should set the security context that is applied
internally by SELinux to the incore inodes, so that they will be access
controlled accordingly.  BTW, fscontext= may be more suitable here than
context=.

-- 
Stephen Smalley <sds tycho nsa gov>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]