How to mount iso file with selinux context
I am trying to mount iso file in /var/ftp/pub/centos
When I try to access those files using ftp in web browser it's not working . After troubleshooting I found that it's because of selinux.
dr-xr-xr-x. root root system_u:object_r:iso9660_t:s0 centos
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 CentOS-6.10-x86_64-bin-DVD1.iso
Is it possible to mount iso including selinux ?
I referred this method (used selinux context for ftp) but it didn't work for me.
OS I am using CentOS release 6.10.
linux centos-6 selinux
asked Dec 24 '18 at 7:44
maxmax
2,49294261
add a comment |
I am trying to mount iso file in /var/ftp/pub/centos
When I try to access those files using ftp in web browser it's not working . After troubleshooting I found that it's because of selinux.
dr-xr-xr-x. root root system_u:object_r:iso9660_t:s0 centos
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 CentOS-6.10-x86_64-bin-DVD1.iso
Is it possible to mount iso including selinux ?
I referred this method (used selinux context for ftp) but it didn't work for me.
OS I am using CentOS release 6.10.
linux centos-6 selinux
asked Dec 24 '18 at 7:44
maxmax
2,49294261
add a comment |
I am trying to mount iso file in /var/ftp/pub/centos
When I try to access those files using ftp in web browser it's not working . After troubleshooting I found that it's because of selinux.
dr-xr-xr-x. root root system_u:object_r:iso9660_t:s0 centos
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 CentOS-6.10-x86_64-bin-DVD1.iso
Is it possible to mount iso including selinux ?
I referred this method (used selinux context for ftp) but it didn't work for me.
OS I am using CentOS release 6.10.
linux centos-6 selinux
asked Dec 24 '18 at 7:44
maxmax
2,49294261
I am trying to mount iso file in /var/ftp/pub/centos
When I try to access those files using ftp in web browser it's not working . After troubleshooting I found that it's because of selinux.
dr-xr-xr-x. root root system_u:object_r:iso9660_t:s0 centos
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 CentOS-6.10-x86_64-bin-DVD1.iso
Is it possible to mount iso including selinux ?
I referred this method (used selinux context for ftp) but it didn't work for me.
OS I am using CentOS release 6.10.
linux centos-6 selinux
linux centos-6 selinux
asked Dec 24 '18 at 7:44
maxmax
2,49294261
asked Dec 24 '18 at 7:44
maxmax
2,49294261
asked Dec 24 '18 at 7:44
maxmax
2,49294261
asked Dec 24 '18 at 7:44
maxmax
2,49294261
asked Dec 24 '18 at 7:44
maxmax
2,49294261
2,49294261
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I also could not get this working. As the "semanage fcontext" + restorecon won't also work because of the FS being read-only, I would merely add an exception to allow httpd reading those files (I think this brings no significant security issue):
set permissive mode to make sure all relevants denials appear in audit.log
$ sudo setenforce permissive
mount the ISO and read files through the WEB server.
denial messages should be found by:
$ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t
build a selinux exception module with these denial events and apply it
$ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t | audit2allow -M my-iso-rules
$ sudo semodule -i my-iso-rules.pp
restore enforcing mode:
$ sudo setenforce enforcing
answered Dec 24 '18 at 13:57
tonioctonioc
66736
I knew that semange and restorecon will not work. So I used mount. Thanks for audit.log rule . Upvoted.
– max
Dec 24 '18 at 15:15
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1387310%2fhow-to-mount-iso-file-with-selinux-context%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I also could not get this working. As the "semanage fcontext" + restorecon won't also work because of the FS being read-only, I would merely add an exception to allow httpd reading those files (I think this brings no significant security issue):
set permissive mode to make sure all relevants denials appear in audit.log
$ sudo setenforce permissive
mount the ISO and read files through the WEB server.
denial messages should be found by:
$ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t
build a selinux exception module with these denial events and apply it
$ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t | audit2allow -M my-iso-rules
$ sudo semodule -i my-iso-rules.pp
restore enforcing mode:
$ sudo setenforce enforcing
answered Dec 24 '18 at 13:57
tonioctonioc
66736
I knew that semange and restorecon will not work. So I used mount. Thanks for audit.log rule . Upvoted.
– max
Dec 24 '18 at 15:15
add a comment |
I also could not get this working. As the "semanage fcontext" + restorecon won't also work because of the FS being read-only, I would merely add an exception to allow httpd reading those files (I think this brings no significant security issue):
set permissive mode to make sure all relevants denials appear in audit.log
$ sudo setenforce permissive
mount the ISO and read files through the WEB server.
denial messages should be found by:
$ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t
build a selinux exception module with these denial events and apply it
$ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t | audit2allow -M my-iso-rules
$ sudo semodule -i my-iso-rules.pp
restore enforcing mode:
$ sudo setenforce enforcing
answered Dec 24 '18 at 13:57
tonioctonioc
66736
I knew that semange and restorecon will not work. So I used mount. Thanks for audit.log rule . Upvoted.
– max
Dec 24 '18 at 15:15
add a comment |
I also could not get this working. As the "semanage fcontext" + restorecon won't also work because of the FS being read-only, I would merely add an exception to allow httpd reading those files (I think this brings no significant security issue):
set permissive mode to make sure all relevants denials appear in audit.log
$ sudo setenforce permissive
mount the ISO and read files through the WEB server.
denial messages should be found by:
$ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t
build a selinux exception module with these denial events and apply it
$ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t | audit2allow -M my-iso-rules
$ sudo semodule -i my-iso-rules.pp
restore enforcing mode:
$ sudo setenforce enforcing
answered Dec 24 '18 at 13:57
tonioctonioc
66736
I also could not get this working. As the "semanage fcontext" + restorecon won't also work because of the FS being read-only, I would merely add an exception to allow httpd reading those files (I think this brings no significant security issue):
set permissive mode to make sure all relevants denials appear in audit.log
$ sudo setenforce permissive
mount the ISO and read files through the WEB server.
denial messages should be found by:
$ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t
build a selinux exception module with these denial events and apply it
$ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t | audit2allow -M my-iso-rules
$ sudo semodule -i my-iso-rules.pp
restore enforcing mode:
$ sudo setenforce enforcing
answered Dec 24 '18 at 13:57
tonioctonioc
66736
answered Dec 24 '18 at 13:57
tonioctonioc
66736
answered Dec 24 '18 at 13:57
tonioctonioc
66736
answered Dec 24 '18 at 13:57
tonioctonioc
66736
66736
I knew that semange and restorecon will not work. So I used mount. Thanks for audit.log rule . Upvoted.
– max
Dec 24 '18 at 15:15
add a comment |
I knew that semange and restorecon will not work. So I used mount. Thanks for audit.log rule . Upvoted.
– max
Dec 24 '18 at 15:15
I knew that semange and restorecon will not work. So I used mount. Thanks for audit.log rule . Upvoted.
– max
Dec 24 '18 at 15:15
I knew that semange and restorecon will not work. So I used mount. Thanks for audit.log rule . Upvoted.
– max
Dec 24 '18 at 15:15
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1387310%2fhow-to-mount-iso-file-with-selinux-context%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
