Daniel J Walsh wrote:
Jon Masters wrote:
On Fri, 2008-10-03 at 09:13 -0400, Daniel J Walsh wrote:
$ mount -o loop Fedora-9-i386-DVD.iso /mnt
And then one might legitimately expect to be able to copy the content
of /mnt over to e.g. /somewhere/fedora/9/i386 for NFS installs. But
suppose that one is running SELinux in enforcing mode, then this will
fail because the contexts differ in this operation. Then, one will
likely quickly become severely annoyed and frustrated with SELinux,
simply setting it permissive for the duration of the operation...
I've seen this...
Why would the copy fail? cp should just work and set the files to the
context of the destination directory. If this fails it is a bug.
Ok, so there's a bug there then. Copying files from within an ISO image
was kind of the last straw in my willingness to keep SELinux enabled. It
hinders me at almost every turn from doing useful things with a Linux
desktop - I'm constantly amazed that Fedora persists in defaulting it
enabled, but that's a whole other rant.
Jon.
What avc messages I should say?
Here is a sample:
################
Summary:
SELinux is preventing cp from creating a file with a context of
iso9660_t on a
filesystem.
Detailed Description:
SELinux is preventing cp from creating a file with a context of
iso9660_t on a
filesystem. Usually this happens when you ask the cp command to maintain the
context of a file when copying between file systems, "cp -a" for
example. Not
all file contexts should be maintained between the file systems. For
example, a
read-only file type like iso9660_t should not be placed on a r/w system.
"cp -P"
might be a better solution, as this will adopt the default file context
for the
destination.
Allowing Access:
Use a command like "cp -P" to preserve all permissions except SELinux
context.
Additional Information:
Source Context system_u:object_r:iso9660_t:s0
Target Context system_u:object_r:fs_t:s0
Target Objects fedora.css [ filesystem ]
Source cp
Source Path /bin/cp
Port <Unknown>
Host schoolserver
Source RPM Packages coreutils-6.10-30.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-84.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name filesystem_associate
Host Name schoolserver
Platform Linux schoolserver 2.6.25.14-108.fc9.i686
#1 SMP
Mon Aug 4 14:08:11 EDT 2008 i686 i686
Alert Count 21
First Seen Fri 12 Sep 2008 07:27:12 PM CDT
Last Seen Fri 12 Sep 2008 11:18:01 PM CDT
Local ID 90f4d968-0a9b-42df-9982-fd0bdf284859
Line Numbers
Raw Audit Messages
host=schoolserver type=AVC msg=audit(1221279481.164:576): avc: denied {
associate } for pid=12289 comm="cp" name="fedora.css" dev=dm-0
ino=1835383 scontext=system_u:object_r:iso9660_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
host=schoolserver type=SYSCALL msg=audit(1221279481.164:576):
arch=40000003 syscall=228 success=no exit=-13 a0=4 a1=df435d a2=9d566f0
a3=1f items=0 ppid=12279 pid=12289 auid=500 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="cp" exe="/bin/cp"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
#######
Hope it helps,
Jerry
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
