unlabeled_t types for files

Anamitra Dutta Majumdar (anmajumd) anmajumd at cisco.com
Fri Oct 19 16:13:34 UTC 2012 

Hi Dan,

Thanks for including this into the base policy.
How can we track the back port to RHEL6. And do you have a timeframe as to
when it will get back ported to RHEL6.

Thanks,
Anamitra

On 10/19/12 3:45 AM, "Daniel J Walsh" <dwalsh at redhat.com> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 10/18/2012 03:49 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>> Hi Stephen,
>> 
>> Alternatively can we set the filesystem type to start with? So that the
>> initial label is not unlabeled_t. If so where can we do this?
>> 
>> Thanks, Anamitra
>> 
>> On 10/18/12 12:44 PM, "Stephen Smalley" <sds at tycho.nsa.gov> wrote:
>> 
>>> On 10/18/2012 03:36 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>>> Hi Stephen,
>>>> 
>>>> In the dmesg output we see the following selinux messages.
>>>> 
>>> <snip>
>>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint
>>>>labeling 
>>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint
>>>>labeling 
>>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint
>>>>labeling 
>>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint
>>>>labeling 
>>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint
>>>>labeling 
>>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint
>>>>labeling 
>>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling
>>> 
>>> I assume that dbcfs is the relevant filesystem?  So you are using
>>> mountpoint labeling, i.e. passing context= to the mount command with a
>>> specific security context to use, and the policy doesn't know anything
>>> about this filesystem type.  So its initial label is unlabeled_t, and
>>>by 
>>> passing a context= option, you are triggering a relabelfrom check to
>>>see 
>>> if the mount program is authorized to set the context.  You can just
>>> allow it in your policy.  Should have been present even in RHEL5, I
>>> think.
>>> 
>>> 
>> 
>> -- selinux mailing list selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> 
>I just added
>
>allow mount_t unlabeled_t:filesystem relabelfrom;
>
>To Fedora 18. Having Miroslav back port to RHEL6 and RHEL5.
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.12 (GNU/Linux)
>Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
>iEYEARECAAYFAlCBL2cACgkQrlYvE4MpobOgTwCg6uHLbb2vAECUNzZ0w3cUXxOH
>iyoAn2XTMuAGWk2rNVKo3eZgFXnT0U+H
>=9LVr
>-----END PGP SIGNATURE-----

More information about the selinux mailing list