I'm attempting to create the labeled mount point with the following command:
mount -t nfs -o context=system_u:object_r:import_file_t:s0 nas:/vol/home /home/SimulatedImport/output/home
The mount point is created without any errors, but the label that I specify in the mount command is not used. Instead of system_u:object_r:import_file_t, the context of the /home/SimulatedImport/output/home is system_u:object_r:nfs_t:s0.
ls -dZ /home/SimulatedImport/output/home
drwxr-xr-x root root system_u:object_r:nfs_t:s0 /home/m252/SimulatedImport/output/home
I'm running RHEL5 with a policy built as mls off of the targeted policy.
Does anyone know why the context label is not taking?
Thanks
On Mon, 2007-04-30 at 17:37 -0700, Clarkson, Mike R (US SSA) wrote:
I’m attempting to create the labeled mount point with the following command:
mount -t nfs -o context=system_u:object_r:import_file_t:s0
nas:/vol/home /home/SimulatedImport/output/home
The mount point is created without any errors, but the label that I specify in the mount command is not used. Instead of system_u:object_r:import_file_t, the context of the /home/SimulatedImport/output/home is system_u:object_r:nfs_t:s0.
ls -dZ /home/SimulatedImport/output/home drwxr-xr-x root root
system_u:object_r:nfs_t:s0 /home/m252/SimulatedImport/output/home
I’m running RHEL5 with a policy built as mls off of the targeted policy.
Does anyone know why the context label is not taking?
Do you already have the same filesystem mounted elsewhere? What versions of kernel and nfs-utils do you have?
The kernel version is 2.6.18-8.1.1.el5, and the version of nfs-utils is 1:1.0.9-16.el5.
I do already have the same file system automounted elsewhere. Is that causing the problem?
By the way, can mount point labels be applied to automounted file systems? If so, how would I do that? Would I put the label into the automount file (auto.*) in the /etc directory?
-----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Tuesday, May 01, 2007 7:30 AM To: Clarkson, Mike R (US SSA) Cc: fedora-selinux-list@redhat.com; Daniel J Walsh; Eric Paris Subject: Re: mount point labels
On Mon, 2007-04-30 at 17:37 -0700, Clarkson, Mike R (US SSA) wrote:
I'm attempting to create the labeled mount point with the following command:
mount -t nfs -o context=system_u:object_r:import_file_t:s0
nas:/vol/home /home/SimulatedImport/output/home
The mount point is created without any errors, but the label that I specify in the mount command is not used. Instead of system_u:object_r:import_file_t, the context of the /home/SimulatedImport/output/home is system_u:object_r:nfs_t:s0.
ls -dZ /home/SimulatedImport/output/home drwxr-xr-x root root
system_u:object_r:nfs_t:s0
/home/m252/SimulatedImport/output/home
I'm running RHEL5 with a policy built as mls off of the targeted policy.
Does anyone know why the context label is not taking?
Do you already have the same filesystem mounted elsewhere? What versions of kernel and nfs-utils do you have?
On Tue, 2007-05-01 at 09:20 -0700, Clarkson, Mike R (US SSA) wrote:
The kernel version is 2.6.18-8.1.1.el5, and the version of nfs-utils is 1:1.0.9-16.el5.
I do already have the same file system automounted elsewhere. Is that causing the problem?
Yes, the context= mount must be applied on the first mount of the filesystem or it has no effect.
By the way, can mount point labels be applied to automounted file systems? If so, how would I do that? Would I put the label into the automount file (auto.*) in the /etc directory?
You can specify mount options in your automounter maps (like auto.master), so you should be able to specify a context= option there too. I haven't specifically tried it though.
On Tue, 2007-05-01 at 12:42 -0400, Stephen Smalley wrote:
By the way, can mount point labels be applied to automounted file systems? If so, how would I do that? Would I put the label into the automount file (auto.*) in the /etc directory?
You can specify mount options in your automounter maps (like auto.master), so you should be able to specify a context= option there too. I haven't specifically tried it though.
I cannot get this to work in RHEL5. It complains if I have it in auto.master (syntax error), so I tried to place an entry in auto.misc (for /misc). It will mount, but not with the context that I specified. The logs mention that it is using genfs_contexts.
Looking at the mounts, I see that the options for the autofs mount point include: context=""
So, the options are not getting passed to the mount command, or are being overridden by automount. Any other ideas?
Forrest
On Tue, 2007-05-01 at 14:34 -0600, Forrest Taylor wrote:
On Tue, 2007-05-01 at 12:42 -0400, Stephen Smalley wrote:
By the way, can mount point labels be applied to automounted file systems? If so, how would I do that? Would I put the label into the automount file (auto.*) in the /etc directory?
You can specify mount options in your automounter maps (like auto.master), so you should be able to specify a context= option there too. I haven't specifically tried it though.
I cannot get this to work in RHEL5. It complains if I have it in auto.master (syntax error), so I tried to place an entry in auto.misc (for /misc). It will mount, but not with the context that I specified. The logs mention that it is using genfs_contexts.
Looking at the mounts, I see that the options for the autofs mount point include: context=""
So, the options are not getting passed to the mount command, or are being overridden by automount. Any other ideas?
File a bug against autofs?
On Wed, 2007-05-02 at 07:29 -0400, Stephen Smalley wrote:
On Tue, 2007-05-01 at 14:34 -0600, Forrest Taylor wrote:
On Tue, 2007-05-01 at 12:42 -0400, Stephen Smalley wrote:
By the way, can mount point labels be applied to automounted file systems? If so, how would I do that? Would I put the label into the automount file (auto.*) in the /etc directory?
You can specify mount options in your automounter maps (like auto.master), so you should be able to specify a context= option there too. I haven't specifically tried it though.
I cannot get this to work in RHEL5. It complains if I have it in auto.master (syntax error), so I tried to place an entry in auto.misc (for /misc). It will mount, but not with the context that I specified. The logs mention that it is using genfs_contexts.
Looking at the mounts, I see that the options for the autofs mount point include: context=""
So, the options are not getting passed to the mount command, or are being overridden by automount. Any other ideas?
File a bug against autofs?
The man page for auto.master says that any remaining command line arguments without leading dashes after the map name are taken as options (-o) to mount. So it seems like a bug if it doesn't pass through the context= option properly.
On Wed, 2007-05-02 at 08:19 -0400, Stephen Smalley wrote:
On Wed, 2007-05-02 at 07:29 -0400, Stephen Smalley wrote:
On Tue, 2007-05-01 at 14:34 -0600, Forrest Taylor wrote:
On Tue, 2007-05-01 at 12:42 -0400, Stephen Smalley wrote:
By the way, can mount point labels be applied to automounted file systems? If so, how would I do that? Would I put the label into the automount file (auto.*) in the /etc directory?
You can specify mount options in your automounter maps (like auto.master), so you should be able to specify a context= option there too. I haven't specifically tried it though.
I cannot get this to work in RHEL5. It complains if I have it in auto.master (syntax error), so I tried to place an entry in auto.misc (for /misc). It will mount, but not with the context that I specified. The logs mention that it is using genfs_contexts.
Looking at the mounts, I see that the options for the autofs mount point include: context=""
So, the options are not getting passed to the mount command, or are being overridden by automount. Any other ideas?
File a bug against autofs?
The man page for auto.master says that any remaining command line arguments without leading dashes after the map name are taken as options (-o) to mount. So it seems like a bug if it doesn't pass through the context= option properly.
Anyone know if this got fixed in RHEL?
selinux@lists.fedoraproject.org