context mount options in FC5
Paul Howarth
paul at city-fan.org
Mon Mar 27 13:51:41 UTC 2006
Stephen Smalley wrote:
> On Sun, 2006-03-26 at 09:48 +0100, Paul Howarth wrote:
>> The "context" and "fscontext" mount options no longer seem to be
>> supported by mount in FC5:
>>
>> # mount -r -o
>> loop,fscontext=system_u:object_r:public_content_t /srv/softlib/fedora/bordeaux/FC-5-i386-DVD.iso /srv/softlib/fedora/bordeaux/dvd
>> mount: wrong fs type, bad option, bad superblock on /dev/loop1,
>> missing codepage or other error
>> In some cases useful info is found in syslog - try
>> dmesg | tail or so
>>
>> The same command fails in the same way with "fscontext" changed to
>> "context", but works if neither of those options is present. This leaves
>> me with the mounted DVD image having a context of iso9660_t, which is
>> reasonable but not what I want for serving out a local yum repository.
>>
>> So how can I get ISO images mounted with public_content_t in FC5?
>>
>> Or am I going to have to create a policy module to allow httpd, ftpd,
>> samba etc. to read iso9660_t?
>
> Error message that I get in /var/log/messages is
> SELinux: security_context_to_sid(system_u:object_r:public_content_t)
> failed ... errno=-22 (EINVAL).
>
> But if I add a ':s0' suffix to the context, it works. So IIUC the
> problem here is that mount is directly passing the user-supplied context
> to the kernel without interacting with libselinux to translate it (via
> selinux_trans_to_raw_context). Needs to be patched accordingly, and
> updated in FC5 as well as rawhide.
Thanks, that's fixed it. I assume it's safe to add the ":s0" to an fstab
entry as that will pass through the libselinux translation transparently?
Paul.
More information about the fedora-selinux-list
mailing list