-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/28/2013 10:24 AM, Shintaro Fujiwara wrote: > Thank you. > > If the "file_t" is ok for usb pen drive, good. I understand. > > The fact is, one program made an SELinux error, it's name is colord_t. The > error was colord_t could not write to file_t or something... > > > "colord.te" may have "files_rw_all_files" ? > > > I don't know anything on colord so I may be mistaken. > > > Maybe my question is on colord_t cannot write to file_t. > > I thought if the pen drive's lost+found directory was labeled lost_found_t, > but my impression now is this is the problem on colord_t. > > > > > 2013/10/28 Daniel J Walsh <dwalsh@xxxxxxxxxx <mailto:dwalsh@xxxxxxxxxx>> > > On 10/26/2013 07:50 PM, Shintaro Fujiwara wrote: >> HI, I have a question on lost_found_t. > >> When I plug up my usb pen drive and issue this command, > >> # mkfs -t ext4 /dev/sdb > >> After succeeding making file system in the usb device ,Fedora >> auto-detects the usb device and I found lost+found directory in the >> device labeled file_t. > >> I can use pen drive alright, but isn't it good to label lost+found >> lost_found_t ? > >> I made a local policy to label it, but I could not, although I could >> install module itself and restorecon the directory. > >> restorecon said, > >> [root@localhost ~]# restorecon -rv /run/media restorecon: Warning no >> default label for /run/media/fujiwara restorecon: Warning no default >> label for /run/media/fujiwara/64d4a696-14af-46fb-bcd1-1762f1f688bd >> restorecon: Warning no default label for >> /run/media/fujiwara/64d4a696-14af-46fb-bcd1-1762f1f688bd/lost+found > >> Why lost+found directory in the usb pen drive not permitted to label by >> default? > >> Thanks in advance. > > >> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx> >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > restorecon is basically saying that it has no idea what labels to use for > ontent under /run/media. file_t could very well be an ok label for this. > > > > > -- http://intrajp.no-ip.com/ Home Page > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > Well file_t means the system has no labels. Usually you have a usb stick which has a file system on it which supports labels, but no one put labels onto it. Confined apps like colord are not allowed to look at file_t, since the kernel has no idea what kind of content is there. But the bug here is with colord trying to look at every file system that gets mounted on the system. We have an open bug with it to stop doing this. If the admin knows what kind of content is on the stick, it is up to him to label it appropriatly, or mount it with the appropriate label. For example if it contained apache content you would either run chcon system_u:object_r:httpd_sys_content_t:s0 /run/media/ Or mount it using the context option mount -o context=system_u:object_r:httpd_sys_content_t:s0 /dev/sd100 /run/media -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJueccACgkQrlYvE4MpobMehQCg0kBbUrcGZAuBqJJocod+3zcc TUAAoN4YquWG8RgI6kmKcg20iovIGvxy =3KmV -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux