mnt_reset_iter(&itr, MNT_ITER_FORWARD);
while (mnt_optlist_next_opt(ol, &itr, &opt) == 0) {
- if (!is_option(mnt_opt_get_name(opt), selinux_options))
+ const char *opt_name = mnt_opt_get_name(opt);
+
+ if (!is_option(opt_name, selinux_options))
continue;
if (se_rem)
rc = mnt_optlist_remove_opt(ol, opt);
const char *val = mnt_opt_get_value(opt);
char *raw = NULL;
- rc = selinux_trans_to_raw_context(val, &raw);
- if (rc == -1 || !raw)
- rc = -EINVAL;
+ if (strcmp(opt_name, "rootcontext") == 0 && strcmp(val, "@target") == 0) {
+ rc = getfilecon_raw(cxt->fs->target, &raw);
+ if (rc <= 0 || !raw)
+ rc = errno ? -errno : -EINVAL;
+ else
+ rc = 0; /* getfilecon_raw(3) returns the size of the extended attribute value */
+ } else {
+ rc = selinux_trans_to_raw_context(val, &raw);
+ if (rc == -1 || !raw)
+ rc = -EINVAL;
+ }
if (!rc)
rc = mnt_opt_set_quoted_value(opt, raw);
if (raw)
+
You can set the default security context for unlabeled files using *defcontext=* option. This overrides the value set for unlabeled files in the policy and requires a filesystem that supports xattr labeling.
+
-The *rootcontext=* option allows you to explicitly label the root inode of a FS being mounted before that FS or inode becomes visible to userspace. This was found to be useful for things like stateless Linux.
+The *rootcontext=* option allows you to explicitly label the root inode of a FS being mounted before that FS or inode becomes visible to userspace. This was found to be useful for things like stateless Linux. The special value *@target* can be used to assign the current context of the target mountpoint location.
+
Note that the kernel rejects any remount request that includes the context option, *even* when unchanged from the current context.
+
projects / thirdparty / util-linux.git / commitdiff
