The "context" and "fscontext" mount options no longer seem to be supported by mount in FC5:
# mount -r -o loop,fscontext=system_u:object_r:public_content_t /srv/softlib/fedora/bordeaux/FC-5-i386-DVD.iso /srv/softlib/fedora/bordeaux/dvd mount: wrong fs type, bad option, bad superblock on /dev/loop1, missing codepage or other error In some cases useful info is found in syslog - try dmesg | tail or so
The same command fails in the same way with "fscontext" changed to "context", but works if neither of those options is present. This leaves me with the mounted DVD image having a context of iso9660_t, which is reasonable but not what I want for serving out a local yum repository.
So how can I get ISO images mounted with public_content_t in FC5?
Or am I going to have to create a policy module to allow httpd, ftpd, samba etc. to read iso9660_t?
Paul.
On Sun, 2006-03-26 at 09:48 +0100, Paul Howarth wrote:
The "context" and "fscontext" mount options no longer seem to be supported by mount in FC5:
# mount -r -o loop,fscontext=system_u:object_r:public_content_t /srv/softlib/fedora/bordeaux/FC-5-i386-DVD.iso /srv/softlib/fedora/bordeaux/dvd mount: wrong fs type, bad option, bad superblock on /dev/loop1, missing codepage or other error In some cases useful info is found in syslog - try dmesg | tail or so
The same command fails in the same way with "fscontext" changed to "context", but works if neither of those options is present. This leaves me with the mounted DVD image having a context of iso9660_t, which is reasonable but not what I want for serving out a local yum repository.
So how can I get ISO images mounted with public_content_t in FC5?
Or am I going to have to create a policy module to allow httpd, ftpd, samba etc. to read iso9660_t?
Error message that I get in /var/log/messages is SELinux: security_context_to_sid(system_u:object_r:public_content_t) failed ... errno=-22 (EINVAL).
But if I add a ':s0' suffix to the context, it works. So IIUC the problem here is that mount is directly passing the user-supplied context to the kernel without interacting with libselinux to translate it (via selinux_trans_to_raw_context). Needs to be patched accordingly, and updated in FC5 as well as rawhide.
Stephen Smalley wrote:
On Sun, 2006-03-26 at 09:48 +0100, Paul Howarth wrote:
The "context" and "fscontext" mount options no longer seem to be supported by mount in FC5:
# mount -r -o loop,fscontext=system_u:object_r:public_content_t /srv/softlib/fedora/bordeaux/FC-5-i386-DVD.iso /srv/softlib/fedora/bordeaux/dvd mount: wrong fs type, bad option, bad superblock on /dev/loop1, missing codepage or other error In some cases useful info is found in syslog - try dmesg | tail or so
The same command fails in the same way with "fscontext" changed to "context", but works if neither of those options is present. This leaves me with the mounted DVD image having a context of iso9660_t, which is reasonable but not what I want for serving out a local yum repository.
So how can I get ISO images mounted with public_content_t in FC5?
Or am I going to have to create a policy module to allow httpd, ftpd, samba etc. to read iso9660_t?
Error message that I get in /var/log/messages is SELinux: security_context_to_sid(system_u:object_r:public_content_t) failed ... errno=-22 (EINVAL).
But if I add a ':s0' suffix to the context, it works. So IIUC the problem here is that mount is directly passing the user-supplied context to the kernel without interacting with libselinux to translate it (via selinux_trans_to_raw_context). Needs to be patched accordingly, and updated in FC5 as well as rawhide.
Thanks, that's fixed it. I assume it's safe to add the ":s0" to an fstab entry as that will pass through the libselinux translation transparently?
Paul.
On Mon, 2006-03-27 at 14:51 +0100, Paul Howarth wrote:
Thanks, that's fixed it. I assume it's safe to add the ":s0" to an fstab entry as that will pass through the libselinux translation transparently?
Yes, if the user (or in this case, fstab file) specifies a MCS/MLS component in the raw format, then the translation library should leave it alone. But this does need to be fixed in mount, likely should be bugzilla'd.
Stephen Smalley wrote:
On Mon, 2006-03-27 at 14:51 +0100, Paul Howarth wrote:
Thanks, that's fixed it. I assume it's safe to add the ":s0" to an fstab entry as that will pass through the libselinux translation transparently?
Yes, if the user (or in this case, fstab file) specifies a MCS/MLS component in the raw format, then the translation library should leave it alone. But this does need to be fixed in mount, likely should be bugzilla'd.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186915
Paul
selinux@lists.fedoraproject.org