Stephen Smalley wrote:
On Fri, 2008-10-10 at 17:26 +1000, Murray McAllister wrote:
Hi,
The following is a rough draft for the "Mounting File Systems" sections.
Any comments and corrections are appreciated.
I'd have to say that this entire section is confusing - it is written in
terms of low level mechanism and corner cases and not in terms of how
users actually interact with SELinux and their common experience.
For example, file_t is something users should never see in practice. As
setroubleshoot says, it indicates that they should relabel their
filesystems - they likely have been running with SELinux disabled at
some prior point in time and have re-enabled it without relabeling.
Likewise, default_t is the unusual case where a file falls completely
outside of the file tree specifications in file_contexts.
It also doesn't describe context mounts in terms of why and how they are
used. See for example the original explanation of mountpoint labeling
(i.e. context mounts) in:
http://www.linuxjournal.com/article/7426
I have tried to remove the more technical details and include feedback:
Mounting File Systems
Use the mount -o context command to override existing extended
attributes. This is useful if you do not trust a file system to supply
the correct attributes, for example, removable media used in multiple
systems. The mount -o context command can also be used to support
labeling for file systems that do not support extended attributes, such
as File Allocation Table (FAT) file systems. The context specified with
mount -o context is not written to disk: the original contexts are
preserved, and are seen when mounting without a context option.
Temporary Mount Context Changes
As the Linux root user, use the mount -o
context=SELinux_user:role:type:level command to mount file systems with
the specified context, overriding existing contexts if they exist.
Context changes are not written to disk. In the following example, when
/dev/sda1 is mounted, all files on that file system are labeled with the
system_u:object_r:httpd_sys_content_t:s0 context. This example can be
used to share FAT file systems (or other file systems) via the Apache
HTTP server:
# mount -o context="system_u:object_r:httpd_sys_content_t:s0" /dev/sda1
/mount/point
Newly-created files and directories on this file system appear to have
the SELinux context specified with -o context; however, since context
changes are not written to disk for these situations, context changes
are lost when the file system is unmounted. If such a file system is not
labeled, or does support extended attributes, it stays in that state
after being unmounted.
Type Enforcement is the main permission control used in SELinux targeted
policy. For the most part, SELinux users and roles can be ignored, so,
when overriding the SELinux context with -o context, use the SELinux
system_u user and object_r role, and concentrate on the type. If you are
not using the MLS policy or multi-category security, use the s0 level.
<note>
When a file system is mounted with a context option, context changes (by
users and processes) are prohibited. For example, running chcon on a
file system mounted with a context option results in a Operation not
supported error.
</note>
Changing the Default Context
As the Linux root user, use the mount -o
defcontext=SELinux_user:role:type:level command to change "the default
security context for unlabeled files"[1]. The defcontext option requires
a file system that supports extended attributes, since context context
changes for newly-created files that would otherwise be labeled with the
file_t type are written to disk. The file_t type is used for files
(stored on a file system that supports extended attributes) that do not
have an SELinux context. This type should not exist on correctly-labeled
file systems.
The following example changes the default context to
system_u:object_r:httpd_sys_content_t:s0:
# mount -o defcontext="system_u:object_r:httpd_sys_content_t:s0"
/dev/sda1 /mount/point
In this example, if the file system on /dev/sda1 isn't labeled
correctly, or isn't labeled at all, newly-created files are labeled with
httpd_sys_content_t type, rather than the file_t type. If a file that
would otherwise be labeled with the file_t type is created on this file
system, it keeps the httpd_sys_content_t type, even when the file system
is mounted without a context option.
[1] Morris, James. "Filesystem Labeling in SELinux". Published 1 October
2004. Accessed 14 October 2008: http://www.linuxjournal.com/article/7426.
Multiple NFS Mounts from the same Export
To mount a single NFS export multiple times using a different SELinux
context for each mount, use the mount -o nosharecache,context options.
The context specified with with context option is not written to disk:
# mount hostname:/export /local/mount/web -o
nosharecache,context="system_u:object_r:httpd_sys_content_t:s0"
# mount hostname:/export /local/mount/database -o
nosharecache,context="system_u:object_r:mysqld_db_t:s0"
In this example, the hostname:/export NFS export is mounted to two
different directories, /local/mount/web and /local/mount/database. Files
mounted on /local/mount/web are labeled with the httpd_sys_content_t
type. Files mounted on /local/mount/database are labeled with the
mysqld_db_t type.
If a single system runs a MySQL® server as well as an Apache HTTP
Server, and data files for both of those services are on a single NFS
export, this example can be used to allow both the MySQL server and the
Apache HTTP Server access to the required files, without exposing the
files to other local services.
# This is probably incorrect. I do not know a proper use cases for this.
Note: if you attempt to mount a single NFS export multiple times with
different contexts, but do not use the nosharecache option, mount fails
with a mount.nfs: an incorrect mount option was specified error, and the
following is logged to /var/log/messages:
kernel: SELinux: mount invalid. Same superblock, different security
settings for (dev 0:14, type nfs)
Further Information
For further information about file system labeling, refer to James
Morris's "Filesystem Labeling in SELinux" article:
http://www.linuxjournal.com/article/7426.
Thanks!
Mounting File Systems
By default, when a third extended file system (ext3) is mounted, the
files and directories on the file system are labeled with the file_t
type. The mount command can override SELinux contexts when mounting file
systems. SELinux context changes with the mount command can be
per-session only (until the file system is unmounted), or persistent
(context changes are written to disk).
# what are default_t and file_t?
Temporary Mount Context Changes
As the Linux root user, use the mount -o
context=SELinux_user:role:type:level option to temporarily override
existing SELinux contexts. The -o context option requires a Linux 2.6
kernel. When a file system is mounted with the -o context option:
# does -o context only work with a 2.6 kernels?
* SELinux context changes only occur in kernel memory, and as such,
context changes are not written to disk. Any context changes made while
such a file system is mounted are lost when the file system is unmounted.
* If a file system is already labeled, and the contexts are overridden
with the -o context option, the original contexts return when the file
system is un-mounted.
* Newly-created files and directories appear to have the SELinux context
specified with -o context; however, since context changes are not
written to disk for these situations, context changes are lost when the
file system is un-mounted.
* The -o context option works even if the file system to be mounted does
not support extended attributes, although, any context changes made to
such a file system are lost when the file system is unmounted.
The following example labels all files on the file system to be mounted
with the httpd_sys_content_t type:
# mount -t ext3 -o context="system_u:object_r:httpd_sys_content_t:s0"
/dev/sdax /mount/point
-t ext3: The -t ext3 option specifies that an ext3 file system is to be
mounted. Use the -t option to specify the correct file system. Refer to
the mount(8) manual page for a list of file systems.
-o context="system_u:object_r:httpd_sys_content_t:s0": The -o
context="system_u:object_r:httpd_sys_content_t:s0" option specifies the
SELinux context for all files on the file system to be mounted, as well
as the mount point. This option overrides existing contexts.
Type Enforcement is the main permission control used in SELinux targeted
policy. For the most part, SELinux users and roles can be ignored, so,
when overriding the SELinux context with mount, use the SELinux system_u
user and object_r role, and concentrate on the type. In this example,
all files on the /dev/sdax file system will be labeled with the
httpd_sys_content_t type.
/dev/sdax /mount/point: Specifies that the /dev/sdax device will be
mounted to the /mount/point/ directory.
<note>
When a file system is mounted with the -o context option, it is not
possible to use the chcon command to change the SELinux context. Using
chcon on such a file system results in a Operation not supported error.
</note>
Persistent Mount Context Changes
As the Linux root user, use the mount -o
defcontext=SELinux_user:role:type:level option to persistently change
the default SELinux context for a file system. The -o defcontext option
requires a file system that supports extended attributes, since changes
are written to disk. When a file system is mounted with the -o
defcontext option:
* Existing files keep their current contexts.
* Context changes are written to disk, and are not lost if the file
system is unmounted. Newly-created files and files copied to such a file
system inherit the SELinux context specified with the -o defcontext
option. For example, if a file system is mounted with the -o
defcontext="system_u:object_r:httpd_sys_content_t:s0" option, and a new
file is created on the mounted file system, that file is labeled with
the httpd_sys_content_t type. If the file system is unmounted and then
mounted without a context option, that file is still labeled with the
httpd_sys_content_t type.
The following example changes the default SELinux context for the file
system to be mounted to system_u:object_r:httpd_sys_content_t:s0:
# mount -t ext3 -o defcontext="system_u:object_r:httpd_sys_content_t:s0"
/dev/sdax /mount/point
[fill in similar to the previous section]
# I do not understand the fscontext option. Should that be included?
# Is there any common use cases that should have examples here, such as
mounting a cd and sharing it via http or nfs?
Apologies for any typos :(
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
