Re: unlabeled_t types for files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/18/2012 03:49 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
> Hi Stephen,
> 
> Alternatively can we set the filesystem type to start with? So that the 
> initial label is not unlabeled_t. If so where can we do this?
> 
> Thanks, Anamitra
> 
> On 10/18/12 12:44 PM, "Stephen Smalley" <sds@xxxxxxxxxxxxx> wrote:
> 
>> On 10/18/2012 03:36 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>> Hi Stephen,
>>> 
>>> In the dmesg output we see the following selinux messages.
>>> 
>> <snip>
>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling 
>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling 
>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling 
>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling 
>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling 
>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling 
>>> SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling
>> 
>> I assume that dbcfs is the relevant filesystem?  So you are using 
>> mountpoint labeling, i.e. passing context= to the mount command with a 
>> specific security context to use, and the policy doesn't know anything 
>> about this filesystem type.  So its initial label is unlabeled_t, and by 
>> passing a context= option, you are triggering a relabelfrom check to see 
>> if the mount program is authorized to set the context.  You can just 
>> allow it in your policy.  Should have been present even in RHEL5, I
>> think.
>> 
>> 
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
I just added

allow mount_t unlabeled_t:filesystem relabelfrom;

To Fedora 18. Having Miroslav back port to RHEL6 and RHEL5.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCBL2cACgkQrlYvE4MpobOgTwCg6uHLbb2vAECUNzZ0w3cUXxOH
iyoAn2XTMuAGWk2rNVKo3eZgFXnT0U+H
=9LVr
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux