From: Daniel J Walsh <dwalsh@redhat.com>
To: "Sean E. Millichamp" <sean@bruenor.org>
Cc: Fedora Selinux Mailing List <fedora-selinux-list@redhat.com>,
SE Linux <selinux@tycho.nsa.gov>
Subject: Re: Handling labeling on filesystems that don't support SELinux
Date: Mon, 17 Nov 2008 09:45:21 -0500 [thread overview]
Message-ID: <49218381.4050509@redhat.com> (raw)
In-Reply-To: <1225998785.3313.5.camel@sewt>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sean E. Millichamp wrote:
> I have been working on SELinux support for Puppet. One issue that has
> cropped up is the behavior on filesystems which don't support SELinux.
>
> They all appear to get a default label, some seem to allow changing the
> label (VFAT) in a non-persistent manner, some seem to throw "not
> supported" errors (NFS).
>
> How can I detect if a file is on a filesystem which supports SELinux
> without trying to update the label?
>
> The best idea so far as been to parse /proc/mounts and use that to
> determine what type of filesystem a file lives on, then check it against
> a whitelist (which would include ext3, xfs, ?) but it seems like there
> has to be a cleaner/simpler way.
>
> What I would like would be a "getfilecon" call that returns the real
> label, ignoring any mount-time defaults.
>
> Any ideas?
>
> Thanks,
> Sean
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I have been waiting for some one else to respond to this. I think this
would be better sent to the nsa selinux list for better discussion.
The problem with your parsing of the /proc/mounts is that it would not
give you an accurate idea of what supports and what does not support
SELinux labeling. Also this can change over time.
If I mount an ext3 file system with a context mount, then it will no
longer allow you to set the file context. I think the best idea is just
attempt to assign the context and if it fails, ignore the error. I
guess you can report it, if in verbose mode as a warning.
Others may have different ideas.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkhg4EACgkQrlYvE4MpobMPMgCgm+G/Pyrll2CKHUynWftA7Shq
phMAnAwTXQQ+mQH33EjP20o9iM7gaVvE
=eDjj
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next parent reply other threads:[~2008-11-17 14:45 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1225998785.3313.5.camel@sewt>
2008-11-17 14:45 ` Daniel J Walsh [this message]
2008-11-17 15:26 ` Handling labeling on filesystems that don't support SELinux Stephen Smalley
[not found] ` <1226938609.3282.34.camel@sewt>
2008-11-17 16:34 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49218381.4050509@redhat.com \
--to=dwalsh@redhat.com \
--cc=fedora-selinux-list@redhat.com \
--cc=sean@bruenor.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.