unlabeled_t types for files

Daniel J Walsh dwalsh at redhat.com
Fri Oct 19 17:17:48 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/19/2012 12:13 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
> Hi Dan,
> 
> Thanks for including this into the base policy. How can we track the back
> port to RHEL6. And do you have a timeframe as to when it will get back
> ported to RHEL6.
> 
> Thanks, Anamitra
> 
It will be in RHEL6.4

It is in selinux-policy-3.7.19-174.el6

Preview is available on

http://people.redhat.com/dwalsh/SELinux/noarch

> On 10/19/12 3:45 AM, "Daniel J Walsh" <dwalsh at redhat.com> wrote:
> 
> On 10/18/2012 03:49 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>>> Hi Stephen,
>>>> 
>>>> Alternatively can we set the filesystem type to start with? So that
>>>> the initial label is not unlabeled_t. If so where can we do this?
>>>> 
>>>> Thanks, Anamitra
>>>> 
>>>> On 10/18/12 12:44 PM, "Stephen Smalley" <sds at tycho.nsa.gov> wrote:
>>>> 
>>>>> On 10/18/2012 03:36 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>>>>> Hi Stephen,
>>>>>> 
>>>>>> In the dmesg output we see the following selinux messages.
>>>>>> 
>>>>> <snip>
>>>>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint 
>>>>>> labeling SELinux: initialized (dev dbcfs, type dbcfs), uses
>>>>>> mountpoint labeling SELinux: initialized (dev dbcfs, type dbcfs),
>>>>>> uses mountpoint labeling SELinux: initialized (dev dbcfs, type
>>>>>> dbcfs), uses mountpoint labeling SELinux: initialized (dev dbcfs,
>>>>>> type dbcfs), uses mountpoint labeling SELinux: initialized (dev
>>>>>> dbcfs, type dbcfs), uses mountpoint labeling SELinux: initialized
>>>>>> (dev dbcfs, type dbcfs), uses mountpoint labeling
>>>>> 
>>>>> I assume that dbcfs is the relevant filesystem?  So you are using 
>>>>> mountpoint labeling, i.e. passing context= to the mount command
>>>>> with a specific security context to use, and the policy doesn't
>>>>> know anything about this filesystem type.  So its initial label is
>>>>> unlabeled_t, and by passing a context= option, you are triggering a
>>>>> relabelfrom check to see if the mount program is authorized to set
>>>>> the context.  You can just allow it in your policy.  Should have
>>>>> been present even in RHEL5, I think.
>>>>> 
>>>>> 
>>>> 
>>>> -- selinux mailing list selinux at lists.fedoraproject.org 
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> 
> I just added
> 
> allow mount_t unlabeled_t:filesystem relabelfrom;
> 
> To Fedora 18. Having Miroslav back port to RHEL6 and RHEL5.
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCBizwACgkQrlYvE4MpobMjtACfZkS3rOx5zbBMRVVe8Vs+8Z2g
CgsAoMQht917rw8lVRoC/PHwwLq55/XA
=AUlB
-----END PGP SIGNATURE-----

More information about the selinux mailing list