SELinux - copying ISO file content
Jerry Vonau
jvonau at shaw.ca
Mon Oct 6 20:17:34 UTC 2008
Daniel J Walsh wrote:
> Jon Masters wrote:
>> On Fri, 2008-10-03 at 09:13 -0400, Daniel J Walsh wrote:
>>
>>>> $ mount -o loop Fedora-9-i386-DVD.iso /mnt
>>>>
>>>> And then one might legitimately expect to be able to copy the content
>>>> of /mnt over to e.g. /somewhere/fedora/9/i386 for NFS installs. But
>>>> suppose that one is running SELinux in enforcing mode, then this will
>>>> fail because the contexts differ in this operation. Then, one will
>>>> likely quickly become severely annoyed and frustrated with SELinux,
>>>> simply setting it permissive for the duration of the operation...
I've seen this...
>>> Why would the copy fail? cp should just work and set the files to the
>>> context of the destination directory. If this fails it is a bug.
>> Ok, so there's a bug there then. Copying files from within an ISO image
>> was kind of the last straw in my willingness to keep SELinux enabled. It
>> hinders me at almost every turn from doing useful things with a Linux
>> desktop - I'm constantly amazed that Fedora persists in defaulting it
>> enabled, but that's a whole other rant.
>>
>> Jon.
>>
> What avc messages I should say?
>
Here is a sample:
################
Summary:
SELinux is preventing cp from creating a file with a context of
iso9660_t on a
filesystem.
Detailed Description:
SELinux is preventing cp from creating a file with a context of
iso9660_t on a
filesystem. Usually this happens when you ask the cp command to maintain the
context of a file when copying between file systems, "cp -a" for
example. Not
all file contexts should be maintained between the file systems. For
example, a
read-only file type like iso9660_t should not be placed on a r/w system.
"cp -P"
might be a better solution, as this will adopt the default file context
for the
destination.
Allowing Access:
Use a command like "cp -P" to preserve all permissions except SELinux
context.
Additional Information:
Source Context system_u:object_r:iso9660_t:s0
Target Context system_u:object_r:fs_t:s0
Target Objects fedora.css [ filesystem ]
Source cp
Source Path /bin/cp
Port <Unknown>
Host schoolserver
Source RPM Packages coreutils-6.10-30.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-84.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name filesystem_associate
Host Name schoolserver
Platform Linux schoolserver 2.6.25.14-108.fc9.i686
#1 SMP
Mon Aug 4 14:08:11 EDT 2008 i686 i686
Alert Count 21
First Seen Fri 12 Sep 2008 07:27:12 PM CDT
Last Seen Fri 12 Sep 2008 11:18:01 PM CDT
Local ID 90f4d968-0a9b-42df-9982-fd0bdf284859
Line Numbers
Raw Audit Messages
host=schoolserver type=AVC msg=audit(1221279481.164:576): avc: denied {
associate } for pid=12289 comm="cp" name="fedora.css" dev=dm-0
ino=1835383 scontext=system_u:object_r:iso9660_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
host=schoolserver type=SYSCALL msg=audit(1221279481.164:576):
arch=40000003 syscall=228 success=no exit=-13 a0=4 a1=df435d a2=9d566f0
a3=1f items=0 ppid=12279 pid=12289 auid=500 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="cp" exe="/bin/cp"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
#######
Hope it helps,
Jerry
More information about the devel
mailing list