Murray McAllister wrote:
Hi,
The following is a rough draft for the "Mounting File Systems" sections.
Any comments and corrections are appreciated.
Thanks!
Mounting File Systems
By default, when a third extended file system (ext3) is mounted, the
files and directories on the file system are labeled with the file_t
type. The mount command can override SELinux contexts when mounting file
systems. SELinux context changes with the mount command can be
per-session only (until the file system is unmounted), or persistent
(context changes are written to disk).
# what are default_t and file_t?
Sorry. I found
<http://fedoraproject.org/wiki/SELinux/Troubleshooting/AVCDecisions>
which looks like it answers it.
Temporary Mount Context Changes
As the Linux root user, use the mount -o
context=SELinux_user:role:type:level option to temporarily override
existing SELinux contexts. The -o context option requires a Linux 2.6
kernel. When a file system is mounted with the -o context option:
# does -o context only work with a 2.6 kernels?
* SELinux context changes only occur in kernel memory, and as such,
context changes are not written to disk. Any context changes made while
such a file system is mounted are lost when the file system is unmounted.
* If a file system is already labeled, and the contexts are overridden
with the -o context option, the original contexts return when the file
system is un-mounted.
* Newly-created files and directories appear to have the SELinux context
specified with -o context; however, since context changes are not
written to disk for these situations, context changes are lost when the
file system is un-mounted.
* The -o context option works even if the file system to be mounted does
not support extended attributes, although, any context changes made to
such a file system are lost when the file system is unmounted.
The following example labels all files on the file system to be mounted
with the httpd_sys_content_t type:
# mount -t ext3 -o context="system_u:object_r:httpd_sys_content_t:s0"
/dev/sdax /mount/point
-t ext3: The -t ext3 option specifies that an ext3 file system is to be
mounted. Use the -t option to specify the correct file system. Refer to
the mount(8) manual page for a list of file systems.
-o context="system_u:object_r:httpd_sys_content_t:s0": The -o
context="system_u:object_r:httpd_sys_content_t:s0" option specifies the
SELinux context for all files on the file system to be mounted, as well
as the mount point. This option overrides existing contexts.
Type Enforcement is the main permission control used in SELinux targeted
policy. For the most part, SELinux users and roles can be ignored, so,
when overriding the SELinux context with mount, use the SELinux system_u
user and object_r role, and concentrate on the type. In this example,
all files on the /dev/sdax file system will be labeled with the
httpd_sys_content_t type.
/dev/sdax /mount/point: Specifies that the /dev/sdax device will be
mounted to the /mount/point/ directory.
<note>
When a file system is mounted with the -o context option, it is not
possible to use the chcon command to change the SELinux context. Using
chcon on such a file system results in a Operation not supported error.
</note>
Persistent Mount Context Changes
As the Linux root user, use the mount -o
defcontext=SELinux_user:role:type:level option to persistently change
the default SELinux context for a file system. The -o defcontext option
requires a file system that supports extended attributes, since changes
are written to disk. When a file system is mounted with the -o
defcontext option:
* Existing files keep their current contexts.
* Context changes are written to disk, and are not lost if the file
system is unmounted. Newly-created files and files copied to such a file
system inherit the SELinux context specified with the -o defcontext
option. For example, if a file system is mounted with the -o
defcontext="system_u:object_r:httpd_sys_content_t:s0" option, and a new
file is created on the mounted file system, that file is labeled with
the httpd_sys_content_t type. If the file system is unmounted and then
mounted without a context option, that file is still labeled with the
httpd_sys_content_t type.
The following example changes the default SELinux context for the file
system to be mounted to system_u:object_r:httpd_sys_content_t:s0:
# mount -t ext3 -o defcontext="system_u:object_r:httpd_sys_content_t:s0"
/dev/sdax /mount/point
[fill in similar to the previous section]
# I do not understand the fscontext option. Should that be included?
# Is there any common use cases that should have examples here, such as
mounting a cd and sharing it via http or nfs?
Apologies for any typos :(
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
