Bug 428517 - RFE: add option to mount to "restorecon" the filesystem to be mounted
RFE: add option to mount to "restorecon" the filesystem to be mounted
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: util-linux-ng (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Karel Zak
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-12 13:47 EST by Till Maas
Modified: 2012-02-23 10:39 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-23 10:39:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 250881 None None None Never

  None (edit)
Description Till Maas 2008-01-12 13:47:19 EST
Description of problem:
When one wants to mount a filesytem, e.g. to /tmp, the files on it may have the
right selinux context. It would be useful to have an option for mount to make
sure that the file contexts are right before the mounted partition is available
to the system, e.g.

mount -o restorecon /dev/sda8 /tmp

This should make sure the selinux context for the filesystem is changed as if it
was mounted to /tmp and then mount it to /tmp. In case selinux is not activated,
nothing should happen. But there should be another option to enforce restorecon
in case selinux is not activated, e.g.

mount -o restorecon=<policyname> /dev/sda8 /tmp

where <policyname> is the name of the policy, wher the contexts should be taken
from, e.g. targeted or strict.

This would be useful in case filesystems are created during startup, e.g. an
encrypted /tmp partition. Then with the right option in /etc/fstab it would be
made sure, that the context of /tmp is correct. For reference see: bug #250881
Comment 1 Daniel Walsh 2008-05-07 16:10:26 EDT
/tmp is a bad example since there is not default context for the file in /tmp.

Comment 2 Karel Zak 2008-08-10 15:45:08 EDT
(In reply to comment #0)
> It would be useful to have an option for mount to make
> sure that the file contexts are right before the mounted partition is 
> available to the system, e.g.

 This is unreal wish, mount(8) does not have a way how work with unmounted FS. The filesystem is available to system or not. (We don't have anything like 2-phase mount.)

> mount -o restorecon /dev/sda8 /tmp
> 
> This should make sure the selinux context for the filesystem is changed as if > it was mounted to /tmp and then mount it to /tmp. In case selinux is not 
> activated, nothing should happen. But there should be another option to 
> enforce restorecon in case selinux is not activated, e.g.
> 
> mount -o restorecon=<policyname> /dev/sda8 /tmp
> 
> where <policyname> is the name of the policy, wher the contexts should be 
> taken from, e.g. targeted or strict.

This all is very very complex requirement. I'm not sure that mount(8) the right place to resolve all problems with selinux contexts and block devices.

> This would be useful in case filesystems are created during startup, e.g. an
> encrypted /tmp partition. Then with the right option in /etc/fstab it would be
> made sure, that the context of /tmp is correct. For reference see: bug #250881

My plan (and it's still plan only...) is write a modular libmount (like PAM) where you can extend (by module) the mount process be arbitrary pre/post-mount(2) action.

Note You need to log in before you can comment on or make changes to this bug.