context mount options in FC5
Stephen Smalley
sds at tycho.nsa.gov
Mon Mar 27 13:47:45 UTC 2006
On Sun, 2006-03-26 at 09:48 +0100, Paul Howarth wrote:
> The "context" and "fscontext" mount options no longer seem to be
> supported by mount in FC5:
>
> # mount -r -o
> loop,fscontext=system_u:object_r:public_content_t /srv/softlib/fedora/bordeaux/FC-5-i386-DVD.iso /srv/softlib/fedora/bordeaux/dvd
> mount: wrong fs type, bad option, bad superblock on /dev/loop1,
> missing codepage or other error
> In some cases useful info is found in syslog - try
> dmesg | tail or so
>
> The same command fails in the same way with "fscontext" changed to
> "context", but works if neither of those options is present. This leaves
> me with the mounted DVD image having a context of iso9660_t, which is
> reasonable but not what I want for serving out a local yum repository.
>
> So how can I get ISO images mounted with public_content_t in FC5?
>
> Or am I going to have to create a policy module to allow httpd, ftpd,
> samba etc. to read iso9660_t?
Error message that I get in /var/log/messages is
SELinux: security_context_to_sid(system_u:object_r:public_content_t)
failed ... errno=-22 (EINVAL).
But if I add a ':s0' suffix to the context, it works. So IIUC the
problem here is that mount is directly passing the user-supplied context
to the kernel without interacting with libselinux to translate it (via
selinux_trans_to_raw_context). Needs to be patched accordingly, and
updated in FC5 as well as rawhide.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list