Chapter 2. SELinux Policy Overview
9
genfscon iso9660 /
system_u:object_r:iso9660_t
The file
genfs_contexts
has labels to associate with the most common mounted file systems that
do not support xattrs.
You can set the context at the time of mounting the file system with the option
 o
context= user : role : type
. A complete list of file system types can be found at
$SELINUX_SRC/types/file.te
. This option is also known as mountpoint labeling and is new in
the 2.6.x kernel. Mountpoint labeling occurs in the kernel memory only, the labels are not written to
disk. This example overrides the setting in
genfs_contexts
that would normally mount the file
system as
nfs_t
:
mount  t nfs  o context=user_u:object_r:user_home_t \
hostname :/shares/homes/ /home/
The
 o context=
option is useful when mounting file systems that do not support extended at 
tributes, such as a floppy or hard disk formatted with VFAT, or systems that are not normally running
under SELinux, such as an ext3 formatted disk from a non SELinux workstation. You can also use
 o context=
on file systems you do not trust, such as a floppy. It also helps in compatibility with
xattr supporting file systems on earlier 2.4. x
kernel versions. Even where xattrs are supported,
!
"
you can save time not having to label every file by assigning the entire disk one security context.
Two other options are
 o fscontext=
and
 o defcontext=
, both of which are mutually exclusive
of the
context
option. This means you can use
fscontext
and
defcontext
with each other, but
neither can be used with
context
.
The
fscontext
option works for all file systems, regardless of their xattr support. The
fscontext
option sets the overarching file system label to a specific security context. This file system label is
separate from the individual labels on the files. It represents the entire file system for certain kinds
of permission checks, such as during mount or file creation. Individual file labels are still obtained
from the xattrs on the files themselves. The
context
option actually sets the aggregate context that
fscontext
provides, in addition to supplying the same label for individual files.
You can set the default security context for unlabeled files using
defcontext
. This overrides the
value set for unlabeled files in the policy and requires a file system that supports xattr labeling. This
example might be for a shared volume that gets file drops of security quarantined code, so the dropped
files are labeled as being unsafe and can be controlled specially by policy:
mount  t ext3 defcontext=user_u:object_r:insecure_t \
/shares/quarantined
This all works because SELinux acts as a transparent layer for the mounted file system. After parsing
the security options, SELinux only passes normal file system specific code to the mounted file system.
SELinux is able to seamlessly handle the text name value pairs that most file systems use for mount
options. File systems with binary mount option data, such as NFS and SMBFS, need to be handled as
special cases. Currently, NFSv3 is the only one supported.
2.4.1. Security Contexts and the Kernel
SELinux uses LSM hooks in the kernel in key locations, where they interject access vector decisions.
For example, there is a hook just prior to a file being read by a user, where SELinux steps from the
normal kernel workflow to request the AVC decision. This mainly occurs between a subject (a process
such as
less
) and an object (a file such as
/etc/ssh/sshd_config
) for a specific permission need
(such as
read
).
Based on the result read back from the AVC, the hook either continues the workflow or returns EAC 
CES, that is,
Permission denied
.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved