Hi Stephen, Alternatively can we set the filesystem type to start with? So that the initial label is not unlabeled_t. If so where can we do this? Thanks, Anamitra On 10/18/12 12:44 PM, "Stephen Smalley" <sds@xxxxxxxxxxxxx> wrote: >On 10/18/2012 03:36 PM, Anamitra Dutta Majumdar (anmajumd) wrote: >> Hi Stephen, >> >> In the dmesg output we see the following selinux messages. >> ><snip> >> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling >> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling >> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling >> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling >> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling >> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling >> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling > >I assume that dbcfs is the relevant filesystem? So you are using >mountpoint labeling, i.e. passing context= to the mount command with a >specific security context to use, and the policy doesn't know anything >about this filesystem type. So its initial label is unlabeled_t, and by >passing a context= option, you are triggering a relabelfrom check to see >if the mount program is authorized to set the context. You can just >allow it in your policy. Should have been present even in RHEL5, I think. > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
