Labeling "lost_found_t" to the usb pen drive
Daniel J Walsh
dwalsh at redhat.com
Mon Oct 28 14:50:47 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/28/2013 10:24 AM, Shintaro Fujiwara wrote:
> Thank you.
>
> If the "file_t" is ok for usb pen drive, good. I understand.
>
> The fact is, one program made an SELinux error, it's name is colord_t. The
> error was colord_t could not write to file_t or something...
>
>
> "colord.te" may have "files_rw_all_files" ?
>
>
> I don't know anything on colord so I may be mistaken.
>
>
> Maybe my question is on colord_t cannot write to file_t.
>
> I thought if the pen drive's lost+found directory was labeled lost_found_t,
> but my impression now is this is the problem on colord_t.
>
>
>
>
> 2013/10/28 Daniel J Walsh <dwalsh at redhat.com <mailto:dwalsh at redhat.com>>
>
> On 10/26/2013 07:50 PM, Shintaro Fujiwara wrote:
>> HI, I have a question on lost_found_t.
>
>> When I plug up my usb pen drive and issue this command,
>
>> # mkfs -t ext4 /dev/sdb
>
>> After succeeding making file system in the usb device ,Fedora
>> auto-detects the usb device and I found lost+found directory in the
>> device labeled file_t.
>
>> I can use pen drive alright, but isn't it good to label lost+found
>> lost_found_t ?
>
>> I made a local policy to label it, but I could not, although I could
>> install module itself and restorecon the directory.
>
>> restorecon said,
>
>> [root at localhost ~]# restorecon -rv /run/media restorecon: Warning no
>> default label for /run/media/fujiwara restorecon: Warning no default
>> label for /run/media/fujiwara/64d4a696-14af-46fb-bcd1-1762f1f688bd
>> restorecon: Warning no default label for
>> /run/media/fujiwara/64d4a696-14af-46fb-bcd1-1762f1f688bd/lost+found
>
>> Why lost+found directory in the usb pen drive not permitted to label by
>> default?
>
>> Thanks in advance.
>
>
>> -- selinux mailing list selinux at lists.fedoraproject.org
> <mailto:selinux at lists.fedoraproject.org>
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> restorecon is basically saying that it has no idea what labels to use for
> ontent under /run/media. file_t could very well be an ok label for this.
>
>
>
>
> -- http://intrajp.no-ip.com/ Home Page
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Well file_t means the system has no labels. Usually you have a usb stick which
has a file system on it which supports labels, but no one put labels onto it.
Confined apps like colord are not allowed to look at file_t, since the kernel
has no idea what kind of content is there. But the bug here is with colord
trying to look at every file system that gets mounted on the system. We have
an open bug with it to stop doing this.
If the admin knows what kind of content is on the stick, it is up to him to
label it appropriatly, or mount it with the appropriate label.
For example if it contained apache content you would either run
chcon system_u:object_r:httpd_sys_content_t:s0 /run/media/
Or mount it using the context option
mount -o context=system_u:object_r:httpd_sys_content_t:s0 /dev/sd100 /run/media
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJueccACgkQrlYvE4MpobMehQCg0kBbUrcGZAuBqJJocod+3zcc
TUAAoN4YquWG8RgI6kmKcg20iovIGvxy
=3KmV
-----END PGP SIGNATURE-----
More information about the selinux
mailing list