* Context mounts and unsupported context strings
@ 2006-07-25 19:25 Cory Olmo
2006-08-01 14:07 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Cory Olmo @ 2006-07-25 19:25 UTC (permalink / raw)
To: selinux
I recently ran into a problem with mounting file systems for particular
context strings. At this point we are still in the analysis phase so any
information or ideas would be appreciated.
The problem:
Attempt to mount a cdrom with the context option of
context=system_u:object_r:iso9660_t:s1:c0,c2,c4
The context will get interpreted as only
system_u:object_r:iso9660_t:s1:c0. The reason is that the field separator
for the option field is ',', which is the same as that for categories. As a
result the rest of the context ends up being interpreted as additional
mount options that get passed on to the file system.
We've considered translation, escape characters, and quoting the entire
context string. So far the most feasible appear to be either escaping or
quoting the entire context string.
--
Cory Olmo
Trusted Computer Solutions
www.TrustedCS.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Context mounts and unsupported context strings
2006-07-25 19:25 Context mounts and unsupported context strings Cory Olmo
@ 2006-08-01 14:07 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2006-08-01 14:07 UTC (permalink / raw)
To: Cory Olmo; +Cc: Darrel Goeddel, Eric Paris, James Morris, selinux
On Tue, 2006-07-25 at 14:25 -0500, Cory Olmo wrote:
> I recently ran into a problem with mounting file systems for particular
> context strings. At this point we are still in the analysis phase so any
> information or ideas would be appreciated.
>
> The problem:
>
> Attempt to mount a cdrom with the context option of
> context=system_u:object_r:iso9660_t:s1:c0,c2,c4
>
> The context will get interpreted as only
> system_u:object_r:iso9660_t:s1:c0. The reason is that the field separator
> for the option field is ',', which is the same as that for categories. As a
> result the rest of the context ends up being interpreted as additional
> mount options that get passed on to the file system.
>
> We've considered translation, escape characters, and quoting the entire
> context string. So far the most feasible appear to be either escaping or
> quoting the entire context string.
Hi,
Any progress on this? I assume it requires a patch for both mount and
the kernel. In the kernel, try_context_mount() and
selinux_sb_copy_data() would need to understand the escaping or quoting.
mount and nfsmount also perform parsing of the options and handling of
the context options (context translation, converting to the nfs mount
binary structure in the nfs case).
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-08-01 14:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-07-25 19:25 Context mounts and unsupported context strings Cory Olmo
2006-08-01 14:07 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.