[RFC Patch 0/3] Context Mounts and Unsupported Contexts

[Cory Olmo <colmo@TrustedCS.com>]

This is a potential patch set to correct the collision which is occurring
between commas in contexts and the comma delimiter between option values for
mount.

The Problem:

If the context option specified to mount contains a comma then the value of 
the context option will be improperly broken up.

Example:

Using an MCS translation setup with these entries.

s0:c1=PatientRecord
s0:c2=Unclassified
s0:c3=Secret
s0:c4=TopSecret
s0:c1,c3,c4=CompanySecrets

With translations turned off:
mount -t iso9660 /dev/cdrom /media/cdrom -o \
ro,context=system_u:object_r:iso9660_t:s0:c2,c3,c4,exec

The context option that will be interpreted by SeLinux is
context=system_u:object_r:iso9660_t:s0:c2

The options that will be passed on to the file system will be ro,c3,c4,exec.

If translations are turned on the context that will be interpreted for the
context, system_u:object_r:iso9660_t:Unclassified,Secret,TopSecret, will be
system_u:object_r:iso9660_t:Unclassified.

Proposed Solution:

The proposed solution is to allow/require the SeLinux context option specified
to mount to use escaped quotes when the context contains a comma.  The patches
that are included are for the kernel, util-linux, and nfs-utils.  They were
generated against the following Fedora rawhide rpms util-linux-2.13-0.36,
nfs-utils-1.0.9-3, and kernel-2.6.17-1.2528.

-- 
Cory Olmo

Trusted Computer Solutions
www.TrustedCS.com


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.