Setting SELinux context of loop-mounted ISO filesystem

Stephen Smalley sds at tycho.nsa.gov
Mon Apr 4 15:48:09 UTC 2005


On Mon, 2005-04-04 at 11:44 -0400, Deron Meranda wrote:
> I was, though, expecting ls -Z to show the applied label.  So the filesystem
> context is being applied, but you can't see it via ls -Z?  I guess that makes
> sense now that I think about it, but it was a little surprising.  I
> kind of expected
> the context= option to work somewhat like the uid= and gid= options as far
> as it's visibility to ls.

Unfortunately, no.  ls -Z ultimately calls getxattr on the inode, and
unless the filesystem implementation provides a getxattr method, you
can't get that information.  There has been discussion of putting a
transparent redirect in the VFS so that if the filesystem implementation
doesn't provide getxattr/setxattr on the security namespace, the VFS
will automatically redirect the request to the security module (i.e.
SELinux) and let it handle it based on the incore inode security
context.   

> Also I think context= is what I want, versus fscontext=, since this is
> an ISO9660
> filesystem that doesn't support extended attributes (xattr).  Otherwise Apache
> could see the filesystem, but not the individual files inside it. 
> Isn't that correct?

I think for iso9660 they are effectively equivalent.  It would make a
difference for filesystems that have native xattr support.

-- 
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency




More information about the fedora-list mailing list