genfs_contexts file

genfs_contexts file

[Carlos Anísio Monteiro]

[-- Attachment #1: Type: text/plain, Size: 835 bytes --]

Hi.

I have a doubt about *genfs_contexts* file. For example, the statement 
below:
          
*genfscon vfat /                system_u:object_r:dosfs_t*

I mounted the windows filesystem with: *mount -t vfat /dev/hda1 /mnt/win*
I access with: *cd /mnt/win* and run *ls --context*
The print out of the *ls --context* is:
*-rwxr--r--  root     root     (null)                           130700.htm
drwxr--r--  root     root     (null)                           aaa
-r-xr--r--  root     root     (null)                           admin.dll
-rwxr--r--  root     root     (null)                           ajapaedi
*
Is correct the (null) for security context?

If I note the line in the genfs_contexts file happen the same thing. The 
are not change.

Thanks.

-- 
Carlos Anisio Monteiro  <monteiro@ipen.br>
IPEN/CNEN-SP
Sao Paulo - Brasil


[-- Attachment #2: Type: text/html, Size: 2003 bytes --]

Re: genfs_contexts file

[Russell Coker]

On Wed, 26 Nov 2003 08:48, Carlos Anísio Monteiro <monteiro@ipen.br> wrote:
> I have a doubt about *genfs_contexts* file. For example, the statement
> below:
>
> *genfscon vfat /                system_u:object_r:dosfs_t*
>
> I mounted the windows filesystem with: *mount -t vfat /dev/hda1 /mnt/win*
> I access with: *cd /mnt/win* and run *ls --context*
> The print out of the *ls --context* is:
> *-rwxr--r--  root     root     (null)                           130700.htm

Files/directories that are assigned contexts with genfscon do not have an 
xattr, so "ls --context" can not show their context.

This is a known issue.  I don't know if there are plans to change it.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: genfs_contexts file

[Stephen Smalley]

On Tue, 2003-11-25 at 19:35, Russell Coker wrote:
> Files/directories that are assigned contexts with genfscon do not have an 
> xattr, so "ls --context" can not show their context.
> 
> This is a known issue.  I don't know if there are plans to change it.

It would be possible to implement a "pseudo" xattr handler for such
filesystems, as we have already done for devpts.  But that has to be
done for every filesystem type where you want to export the labels to
userspace.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: genfs_contexts file

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 878 bytes --]

Russell Coker wrote:

>On Wed, 26 Nov 2003 08:48, Carlos Anísio Monteiro <monteiro@ipen.br> wrote:
>  
>
>>I have a doubt about *genfs_contexts* file. For example, the statement
>>below:
>>
>>*genfscon vfat /                system_u:object_r:dosfs_t*
>>
>>I mounted the windows filesystem with: *mount -t vfat /dev/hda1 /mnt/win*
>>I access with: *cd /mnt/win* and run *ls --context*
>>The print out of the *ls --context* is:
>>*-rwxr--r--  root     root     (null)                           130700.htm
>>    
>>
>
>Files/directories that are assigned contexts with genfscon do not have an 
>xattr, so "ls --context" can not show their context.
>
>This is a known issue.  I don't know if there are plans to change it.
>  
>
Steven,

Is there a way to change libselinux to return this data, ie if 
getfilecon is going to return NULL, then have it return the genfscon value?

Dan

[-- Attachment #2: Type: text/html, Size: 1385 bytes --]

Re: genfs_contexts file

[Stephen Smalley]

On Wed, 2003-11-26 at 08:42, Daniel J Walsh wrote:
> Is there a way to change libselinux to return this data, ie if
> getfilecon is going to return NULL, then have it return the genfscon
> value?

libselinux is the wrong place.  If userspace needs access to the labels,
then the filesystem needs to export an xattr handler.  

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.