Re: user guide drafts: "Mounting File Systems"

[Murray McAllister <mmcallis@redhat.com>]

Murray McAllister wrote:
> Hi,
> 
> The following is a rough draft for the "Mounting File Systems" sections. 
> Any comments and corrections are appreciated.
> 
> Thanks!
> 
> Mounting File Systems
> 
> By default, when a third extended file system (ext3) is mounted, the 
> files and directories on the file system are labeled with the file_t 
> type. The mount command can override SELinux contexts when mounting file 
> systems. SELinux context changes with the mount command can be 
> per-session only (until the file system is unmounted), or persistent 
> (context changes are written to disk).
> 
> # what are default_t and file_t?
Sorry. I found 
<http://fedoraproject.org/wiki/SELinux/Troubleshooting/AVCDecisions> 
which looks like it answers it.
> 
> Temporary Mount Context Changes
> 
> As the Linux root user, use the mount -o 
> context=SELinux_user:role:type:level option to temporarily override 
> existing SELinux contexts. The -o context option requires a Linux 2.6 
> kernel. When a file system is mounted with the -o context option:
> 
> # does -o context only work with a 2.6 kernels?
> 
> * SELinux context changes only occur in kernel memory, and as such, 
> context changes are not written to disk. Any context changes made while 
> such a file system is mounted are lost when the file system is unmounted.
> 
> * If a file system is already labeled, and the contexts are overridden 
> with the -o context option, the original contexts return when the file 
> system is un-mounted.
> 
> * Newly-created files and directories appear to have the SELinux context 
> specified with -o context; however, since context changes are not 
> written to disk for these situations, context changes are lost when the 
> file system is un-mounted.
> 
> * The -o context option works even if the file system to be mounted does 
> not support extended attributes, although, any context changes made to 
> such a file system are lost when the file system is unmounted.
> 
> The following example labels all files on the file system to be mounted 
> with the httpd_sys_content_t type:
> 
> # mount -t ext3 -o context="system_u:object_r:httpd_sys_content_t:s0" 
> /dev/sdax /mount/point
> 
> -t ext3: The -t ext3 option specifies that an ext3 file system is to be 
> mounted. Use the -t option to specify the correct file system. Refer to 
> the mount(8) manual page for a list of file systems.
> 
> -o context="system_u:object_r:httpd_sys_content_t:s0": The -o 
> context="system_u:object_r:httpd_sys_content_t:s0" option specifies the 
> SELinux context for all files on the file system to be mounted, as well 
> as the mount point. This option overrides existing contexts.
> 
> Type Enforcement is the main permission control used in SELinux targeted 
> policy. For the most part, SELinux users and roles can be ignored, so, 
> when overriding the SELinux context with mount, use the SELinux system_u 
> user and object_r role, and concentrate on the type. In this example, 
> all files on the /dev/sdax file system will be labeled with the 
> httpd_sys_content_t type.
> 
> /dev/sdax /mount/point: Specifies that the /dev/sdax device will be 
> mounted to the /mount/point/ directory.
> 
> <note>
> When a file system is mounted with the -o context option, it is not 
> possible to use the chcon command to change the SELinux context. Using 
> chcon on such a file system results in a Operation not supported error.
> </note>
> 
> Persistent Mount Context Changes
> 
> As the Linux root user, use the mount -o 
> defcontext=SELinux_user:role:type:level option to persistently change 
> the default SELinux context for a file system. The -o defcontext option 
> requires a file system that supports extended attributes, since changes 
> are written to disk. When a file system is mounted with the -o 
> defcontext option:
> 
> * Existing files keep their current contexts.
> 
> * Context changes are written to disk, and are not lost if the file 
> system is unmounted. Newly-created files and files copied to such a file 
> system inherit the SELinux context specified with the -o defcontext 
> option. For example, if a file system is mounted with the -o 
> defcontext="system_u:object_r:httpd_sys_content_t:s0" option, and a new 
> file is created on the mounted file system, that file is labeled with 
> the httpd_sys_content_t type. If the file system is unmounted and then 
> mounted without a context option, that file is still labeled with the 
> httpd_sys_content_t type.
> 
> The following example changes the default SELinux context for the file 
> system to be mounted to system_u:object_r:httpd_sys_content_t:s0:
> 
> # mount -t ext3 -o defcontext="system_u:object_r:httpd_sys_content_t:s0" 
> /dev/sdax /mount/point
> 
> [fill in similar to the previous section]
> 
> # I do not understand the fscontext option. Should that be included?
> 
> # Is there any common use cases that should have examples here, such as 
> mounting a cd and sharing it via http or nfs?
> 
> Apologies for any typos :(
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.