Re: Excluding file systems from autorelabel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

----- Original Message -----
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
| 
| On 12/27/2012 06:09 AM, Markku Kolkka wrote:
| > 27.12.2012 3:03, James A. Peltier kirjoitti:
| > 
| >> I'm really feeling dense today.  I can't find anywhere in the FTP
| >> man
| >> page anything related to SELinux labels.
| > 
| > See "man ftpd_selinux".

Yet again, this is about setting a SELinux context and not removing it, or excluding it from SELinux processing entirely.  This is NOT what I want to do.  Thankfully, Dan Walsh understood the problem and was able to better answer it for me.


| Depending on your virsion, you should be able to add an entry like
| /exports to
|  /etc/selinux/fixfiles_exclude_dirs
| 
| And fixfiles should exclude this directory. (Autorelabel/rpm updates)
| 
| grep fixfiles_exclude_dirs /sbin/fixfiles

However, on CentOS 5.8 or 6.3 this does not seem to exist on any of the hosts I have.

[root@daat ~]# which fixfiles
/sbin/fixfiles

and 
[root@daat ~]# grep -i exclude /sbin/fixfiles

returns nothing

but it does exist in Fedora.

| Another way to do this is to add a mount option to the directories
| mounted at
| /exports
| 
| mount -o context="..."
| 
| Autorelabel does not relabel anything mounted with a context option.


Ok gotcha!  So since I'm trying to understand this better in the context of an NFS file server what would be the "best" aka least intrusive context (perhaps most permissive is a better term)?  Perhaps unconfined_u:object_r:default_t:s0?  A secondary question is why is it that

   semanage fcontext -a -t "<<none>>" "/exports(/.*)?"

did not work?  Shouldn't this tell SELinux not to bother with the directory or is it still walking the file system to find files with labels?  Thanks for you help in better utilizing SELinux BTW. ;)

-- 
James A. Peltier
Manager, IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax     : 778-782-3045
E-Mail  : jpeltier@xxxxxx
Website : http://www.sfu.ca/itservices
          http://blogs.sfu.ca/people/jpeltier

"The smartest people are constantly revising their understanding, reconsidering a problem they thought they’d already solved. They’re open to new points of view, new information, new ideas, contradictions, and challenges to their own way of thinking." - Jeff Bezos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux