-----BEGIN PGP SIGNED MESSAGE-----
On 10/28/2013 10:24 AM, Shintaro Fujiwara wrote:
If the "file_t" is ok for usb pen drive, good. I understand.
The fact is, one program made an SELinux error, it's name is colord_t. The
error was colord_t could not write to file_t or something...
"colord.te" may have "files_rw_all_files" ?
I don't know anything on colord so I may be mistaken.
Maybe my question is on colord_t cannot write to file_t.
I thought if the pen drive's lost+found directory was labeled lost_found_t,
but my impression now is this is the problem on colord_t.
2013/10/28 Daniel J Walsh <dwalsh(a)redhat.com <mailto:email@example.com>>
On 10/26/2013 07:50 PM, Shintaro Fujiwara wrote:
> HI, I have a question on lost_found_t.
> When I plug up my usb pen drive and issue this command,
> # mkfs -t ext4 /dev/sdb
> After succeeding making file system in the usb device ,Fedora
> auto-detects the usb device and I found lost+found directory in the
> device labeled file_t.
> I can use pen drive alright, but isn't it good to label lost+found
> lost_found_t ?
> I made a local policy to label it, but I could not, although I could
> install module itself and restorecon the directory.
> restorecon said,
> [root@localhost ~]# restorecon -rv /run/media restorecon: Warning no
> default label for /run/media/fujiwara restorecon: Warning no default
> label for /run/media/fujiwara/64d4a696-14af-46fb-bcd1-1762f1f688bd
> restorecon: Warning no default label for
> Why lost+found directory in the usb pen drive not permitted to label by
> Thanks in advance.
> -- selinux mailing list selinux(a)lists.fedoraproject.org
restorecon is basically saying that it has no idea what labels to use for
ontent under /run/media. file_t could very well be an ok label for this.
-- selinux mailing list selinux(a)lists.fedoraproject.org
Well file_t means the system has no labels. Usually you have a usb stick which
has a file system on it which supports labels, but no one put labels onto it.
Confined apps like colord are not allowed to look at file_t, since the kernel
has no idea what kind of content is there. But the bug here is with colord
trying to look at every file system that gets mounted on the system. We have
an open bug with it to stop doing this.
If the admin knows what kind of content is on the stick, it is up to him to
label it appropriatly, or mount it with the appropriate label.
For example if it contained apache content you would either run
chcon system_u:object_r:httpd_sys_content_t:s0 /run/media/
Or mount it using the context option
mount -o context=system_u:object_r:httpd_sys_content_t:s0 /dev/sd100 /run/media
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----