• Andrew Morton's avatar
    [PATCH] SELinux: context mount support - SELinux changes. · 0ce03642
    Andrew Morton authored
    From: James Morris <jmorris@redhat.com>
    
    This patch implements context mount support within SELinux.
    
    Three new mount options are provided:
    
    context=%s
      Label the entire filesystem with the specified security context during
      mount and change the labeling behavior to 'mountpoint labeling'.  The
      /proc/self/attr/fscreate attribute will be ignored for file creation on
      the filesystem, although policy-specified transitions will still work
      normally.  This also sets the aggregate filesystem security context.
    
    fscontext=%s
      Set the label of the aggregate filesystem to the specified security
      context, so that SELinux policy controls over the filesystem itself may
      be reinstated.  Only works for filesystems without EA labeling support,
      and is not valid if 'context' has been specified.
    
    defcontext=%s
      Set the default security context for files created in this filesystem to
      the specified security context (as opposed to the current global default).
      Only works for filesystems without EA labeling support, and is not
      valid if 'context' has been specified.
    
    To set the context or fscontext options, the security policy must specify
    appropriate permissions for the filesystem relabelfrom and filesystem
    relabelto controls.  For the defcontext option, the filesystem relablefrom
    and filesystem assoicate controls are invoked.
    
    The security mount options are parsed out and stripped from the normal
    mount option data so that no normal filesystems need to be aware of them.
    
    Filesystems with binary mount option data (e.g. NFS, SMBFS, AFS, Coda)
    need to be handled as special cases: only NFS is supprted at this stage
    per the previous patch.
    0ce03642
security.h 1.96 KB