How to mount iso file with selinux context












0















I am trying to mount iso file in /var/ftp/pub/centos



When I try to access those files using ftp in web browser it's not working . After troubleshooting I found that it's because of selinux.




dr-xr-xr-x. root root system_u:object_r:iso9660_t:s0 centos
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 CentOS-6.10-x86_64-bin-DVD1.iso



Is it possible to mount iso including selinux ?



I referred this method (used selinux context for ftp) but it didn't work for me.



OS I am using CentOS release 6.10.










share|improve this question



























    0















    I am trying to mount iso file in /var/ftp/pub/centos



    When I try to access those files using ftp in web browser it's not working . After troubleshooting I found that it's because of selinux.




    dr-xr-xr-x. root root system_u:object_r:iso9660_t:s0 centos
    -rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 CentOS-6.10-x86_64-bin-DVD1.iso



    Is it possible to mount iso including selinux ?



    I referred this method (used selinux context for ftp) but it didn't work for me.



    OS I am using CentOS release 6.10.










    share|improve this question

























      0












      0








      0








      I am trying to mount iso file in /var/ftp/pub/centos



      When I try to access those files using ftp in web browser it's not working . After troubleshooting I found that it's because of selinux.




      dr-xr-xr-x. root root system_u:object_r:iso9660_t:s0 centos
      -rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 CentOS-6.10-x86_64-bin-DVD1.iso



      Is it possible to mount iso including selinux ?



      I referred this method (used selinux context for ftp) but it didn't work for me.



      OS I am using CentOS release 6.10.










      share|improve this question














      I am trying to mount iso file in /var/ftp/pub/centos



      When I try to access those files using ftp in web browser it's not working . After troubleshooting I found that it's because of selinux.




      dr-xr-xr-x. root root system_u:object_r:iso9660_t:s0 centos
      -rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 CentOS-6.10-x86_64-bin-DVD1.iso



      Is it possible to mount iso including selinux ?



      I referred this method (used selinux context for ftp) but it didn't work for me.



      OS I am using CentOS release 6.10.







      linux centos-6 selinux






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Dec 24 '18 at 7:44









      maxmax

      2,49294261




      2,49294261






















          1 Answer
          1






          active

          oldest

          votes


















          1














          I also could not get this working. As the "semanage fcontext" + restorecon won't also work because of the FS being read-only, I would merely add an exception to allow httpd reading those files (I think this brings no significant security issue):





          • set permissive mode to make sure all relevants denials appear in audit.log



            $ sudo setenforce permissive



          • mount the ISO and read files through the WEB server.



          • denial messages should be found by:



            $ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t




          • build a selinux exception module with these denial events and apply it



            $ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t | audit2allow -M my-iso-rules
            $ sudo semodule -i my-iso-rules.pp




          • restore enforcing mode:



            $ sudo setenforce enforcing








          share|improve this answer
























          • I knew that semange and restorecon will not work. So I used mount. Thanks for audit.log rule . Upvoted.

            – max
            Dec 24 '18 at 15:15











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1387310%2fhow-to-mount-iso-file-with-selinux-context%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          I also could not get this working. As the "semanage fcontext" + restorecon won't also work because of the FS being read-only, I would merely add an exception to allow httpd reading those files (I think this brings no significant security issue):





          • set permissive mode to make sure all relevants denials appear in audit.log



            $ sudo setenforce permissive



          • mount the ISO and read files through the WEB server.



          • denial messages should be found by:



            $ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t




          • build a selinux exception module with these denial events and apply it



            $ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t | audit2allow -M my-iso-rules
            $ sudo semodule -i my-iso-rules.pp




          • restore enforcing mode:



            $ sudo setenforce enforcing








          share|improve this answer
























          • I knew that semange and restorecon will not work. So I used mount. Thanks for audit.log rule . Upvoted.

            – max
            Dec 24 '18 at 15:15
















          1














          I also could not get this working. As the "semanage fcontext" + restorecon won't also work because of the FS being read-only, I would merely add an exception to allow httpd reading those files (I think this brings no significant security issue):





          • set permissive mode to make sure all relevants denials appear in audit.log



            $ sudo setenforce permissive



          • mount the ISO and read files through the WEB server.



          • denial messages should be found by:



            $ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t




          • build a selinux exception module with these denial events and apply it



            $ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t | audit2allow -M my-iso-rules
            $ sudo semodule -i my-iso-rules.pp




          • restore enforcing mode:



            $ sudo setenforce enforcing








          share|improve this answer
























          • I knew that semange and restorecon will not work. So I used mount. Thanks for audit.log rule . Upvoted.

            – max
            Dec 24 '18 at 15:15














          1












          1








          1







          I also could not get this working. As the "semanage fcontext" + restorecon won't also work because of the FS being read-only, I would merely add an exception to allow httpd reading those files (I think this brings no significant security issue):





          • set permissive mode to make sure all relevants denials appear in audit.log



            $ sudo setenforce permissive



          • mount the ISO and read files through the WEB server.



          • denial messages should be found by:



            $ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t




          • build a selinux exception module with these denial events and apply it



            $ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t | audit2allow -M my-iso-rules
            $ sudo semodule -i my-iso-rules.pp




          • restore enforcing mode:



            $ sudo setenforce enforcing








          share|improve this answer













          I also could not get this working. As the "semanage fcontext" + restorecon won't also work because of the FS being read-only, I would merely add an exception to allow httpd reading those files (I think this brings no significant security issue):





          • set permissive mode to make sure all relevants denials appear in audit.log



            $ sudo setenforce permissive



          • mount the ISO and read files through the WEB server.



          • denial messages should be found by:



            $ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t




          • build a selinux exception module with these denial events and apply it



            $ sudo grep denied /var/log/audit/audit.log | grep httpd | grep iso9660_t | audit2allow -M my-iso-rules
            $ sudo semodule -i my-iso-rules.pp




          • restore enforcing mode:



            $ sudo setenforce enforcing









          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Dec 24 '18 at 13:57









          tonioctonioc

          66736




          66736













          • I knew that semange and restorecon will not work. So I used mount. Thanks for audit.log rule . Upvoted.

            – max
            Dec 24 '18 at 15:15



















          • I knew that semange and restorecon will not work. So I used mount. Thanks for audit.log rule . Upvoted.

            – max
            Dec 24 '18 at 15:15

















          I knew that semange and restorecon will not work. So I used mount. Thanks for audit.log rule . Upvoted.

          – max
          Dec 24 '18 at 15:15





          I knew that semange and restorecon will not work. So I used mount. Thanks for audit.log rule . Upvoted.

          – max
          Dec 24 '18 at 15:15


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1387310%2fhow-to-mount-iso-file-with-selinux-context%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

          Alcedinidae

          Origin of the phrase “under your belt”?