-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/19/2012 12:13 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Dan,
Thanks for including this into the base policy. How can we track the back port to RHEL6. And do you have a timeframe as to when it will get back ported to RHEL6.
Thanks, Anamitra
It will be in RHEL6.4
It is in selinux-policy-3.7.19-174.el6
Preview is available on
http://people.redhat.com/dwalsh/SELinux/noarch
On 10/19/12 3:45 AM, "Daniel J Walsh" dwalsh@redhat.com wrote:
On 10/18/2012 03:49 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Stephen,
Alternatively can we set the filesystem type to start with? So that the initial label is not unlabeled_t. If so where can we do this?
Thanks, Anamitra
On 10/18/12 12:44 PM, "Stephen Smalley" sds@tycho.nsa.gov wrote:
On 10/18/2012 03:36 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Stephen,
In the dmesg output we see the following selinux messages.
<snip> > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint > labeling SELinux: initialized (dev dbcfs, type dbcfs), uses > mountpoint labeling SELinux: initialized (dev dbcfs, type dbcfs), > uses mountpoint labeling SELinux: initialized (dev dbcfs, type > dbcfs), uses mountpoint labeling SELinux: initialized (dev dbcfs, > type dbcfs), uses mountpoint labeling SELinux: initialized (dev > dbcfs, type dbcfs), uses mountpoint labeling SELinux: initialized > (dev dbcfs, type dbcfs), uses mountpoint labeling
I assume that dbcfs is the relevant filesystem? So you are using mountpoint labeling, i.e. passing context= to the mount command with a specific security context to use, and the policy doesn't know anything about this filesystem type. So its initial label is unlabeled_t, and by passing a context= option, you are triggering a relabelfrom check to see if the mount program is authorized to set the context. You can just allow it in your policy. Should have been present even in RHEL5, I think.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I just added
allow mount_t unlabeled_t:filesystem relabelfrom;
To Fedora 18. Having Miroslav back port to RHEL6 and RHEL5.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux