Mounting a dvd/iso with different SELinux fcontext on RHEL9

Posted by useless_debian_user@reddit | linuxadmin | View on Reddit | 5 comments

I'm preparing for my rhce and on one test exam one block of tasks wants the RHEL iso mounted on /var/ftp/repo

When using default settings, the iso gets mounted as iso9660_t when I'd need it to mount as public_content_t

Obviously if I set selinux to permissive/disabled, it "works" but that's not the right way to go about things

the whole dance of adding fcontext with semanage and restorecon don't work either:

[qwe@controller exama]$ sudo semanage fcontext -a -t public_content_t "/var/ftp/repo(/.*)?"
[qwe@controller exama]$ sudo restorecon -Rv /var/ftp/repo
[qwe@controller exama]$ ls -Zd /var/ftp/repo
system_u:object_r:iso9660_t:s0 /var/ftp/repo

What I would obviously need to do is mount the iso somewhere else, and copy the contents to /var/ftp/repo, then run restorecon against it, I just don't understand why the test exam was written this way

I ran through man fstab and mount, and there's the {fs,}context='whatever:values' options to use with regular filesystems but that doesn't seem to work with iso files as mount gives err32(mount: /var/ftp/repo: wrong fs type, bad option, bad superblock on /dev/sr0, missing codepage or helper program, or other error.)

To me it feels like this test exam was not tested or was tested with selinux disabled

[-]

theqat@reddit

I spent like six hours researching this for my own study and finally found that using the ansible mount module with loop and context=system_u:object_r:public_content_t:s0 in the opts field works. Anything less than the fully-specified SELinux context will get you a mount error.

I finally arrived at this by looking into the /var/log/messages errors.

TomAndJerryCat@reddit

It took me forever to figure this one out, but this is how you do it:

Use the "opts" parameter of the "mount" module to set 'context=the-proper-selinux-context-for-vsftpd' when you mount the iso to /var/ftp/repo. I just tested this, and it works fine.

808estate@reddit

The ISO gets mounted as read only so you wouldn't be able to change the permissions.

Would you be allowed to do the old grep denied /var/log/audit.log | audit2allow -M my-module; semodule -i my-module.pp trick?

Mehoyer@reddit

This method is more about addressing SELinux denials for operations rather than setting specific SELinux contexts on files or directories. In your case, where you want the ISO contents to have a public_content_t context when mounted, the primary challenge is the ISO’s read-only nature and the lack of xattr support, which this method doesn’t directly address.

Your observation is correct; the usual process involving semanage fcontext and restorecon does not apply here because these commands affect the file system’s labeling, and an ISO’s contents do not change when mounted—it’s a read-only snapshot of the data.

The approach you mentioned—mounting the ISO to a different location, copying the files to the target directory (/var/ftp/repo), and then applying restorecon to set the correct context—is the practical workaround. This process is effective because once the files are copied to a file system that supports SELinux contexts (like ext4 or xfs), you can manage their contexts.

Regarding the test exam setup, it’s possible the intent was to test your understanding of SELinux and mounting, and to see if you could come up with a creative solution to apply the correct SELinux context in a situation where the direct approach doesn’t work.