Hi Dan,
Thanks for including this into the base policy.
How can we track the back port to RHEL6. And do you have a timeframe as to
when it will get back ported to RHEL6.
Thanks,
Anamitra
On 10/19/12 3:45 AM, "Daniel J Walsh" <dwalsh(a)redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/18/2012 03:49 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
> Hi Stephen,
>
> Alternatively can we set the filesystem type to start with? So that the
> initial label is not unlabeled_t. If so where can we do this?
>
> Thanks, Anamitra
>
> On 10/18/12 12:44 PM, "Stephen Smalley" <sds(a)tycho.nsa.gov> wrote:
>
>> On 10/18/2012 03:36 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>> Hi Stephen,
>>>
>>> In the dmesg output we see the following selinux messages.
>>>
>> <snip>
>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint
>>>labeling
>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint
>>>labeling
>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint
>>>labeling
>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint
>>>labeling
>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint
>>>labeling
>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint
>>>labeling
>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling
>>
>> I assume that dbcfs is the relevant filesystem? So you are using
>> mountpoint labeling, i.e. passing context= to the mount command with a
>> specific security context to use, and the policy doesn't know anything
>> about this filesystem type. So its initial label is unlabeled_t, and
>>by
>> passing a context= option, you are triggering a relabelfrom check to
>>see
>> if the mount program is authorized to set the context. You can just
>> allow it in your policy. Should have been present even in RHEL5, I
>> think.
>>
>>
>
> -- selinux mailing list selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>
I just added
allow mount_t unlabeled_t:filesystem relabelfrom;
To Fedora 18. Having Miroslav back port to RHEL6 and RHEL5.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://www.enigmail.net/
iEYEARECAAYFAlCBL2cACgkQrlYvE4MpobOgTwCg6uHLbb2vAECUNzZ0w3cUXxOH
iyoAn2XTMuAGWk2rNVKo3eZgFXnT0U+H
=9LVr
-----END PGP SIGNATURE-----