Re: SELinux - a question about external drive after upgrade

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mike wrote:
> Daniel J Walsh <dwalsh <at> redhat.com> writes:
> 
>> If you are going to be moving this disk back and forth between selinux
>> enabled and disabled machines, and the files back and forth on the disk,
>> you really should use a context mount on the SELinux platform to ignore
>> labels on the disk.
> 
> I hope not to do so but could envisage a need very occasionally.
> 
> The other thing I note is that reading "man mount" gives options
> context, fscontext and defcontext - on the first time I do this I am 
> unclear as to whether a fsmount with the appropriate context would then
> set up the existing filesystem with the new context, and then using
> rsync -aXH from another machine on the LAN to re-write the files on the
> drive attached to the desktop would then correctly assign the backup files
> with the same contexts as on the source laptop?
> 
> That way presumably only the filesystem would have contexts until individual
> files were overwritten during the rsync backup? Using restorecon before this
> would presumably then write contexts into all files on the backup drive, 
> which I usually have in a number of different directories to house backups
> from a number of different machines.
> 
> It would be nice to understand enough so that I have a chance to get it right
> once I do this for real after upgrading the main machine.
> 
> The other question I am unsure about is once the external drive has been
> correctly mounted and a context assigned, and a set of backup files written
> with contexts - then the next time I plug in the drive would it be mounted
> automatically with the contexts visible - or would I have to mount it
> "manually" with the appropriate context options?
> 
If you mount with a "context=" flag no context will get placed on the disk.

You may/probably do not want the files on this backup to have the
labels, and often are better off calling restorecon when placing them
back on disk.  If you have different policies on different machines, the
layout of file  context maybe different and in some cases the types on
one machine might not be understood on another.

By placing the files back on a machine and running restorecon, you are
saying that you want the files labeled according to the policy of the
current machine.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux