Re: Excluding file systems from autorelabel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/27/2012 03:08 PM, James A. Peltier wrote:
> ----- Original Message ----- | -----BEGIN PGP SIGNED MESSAGE----- | Hash:
> SHA1 | | On 12/27/2012 06:09 AM, Markku Kolkka wrote: | > 27.12.2012 3:03,
> James A. Peltier kirjoitti: | > | >> I'm really feeling dense today.  I
> can't find anywhere in the FTP | >> man | >> page anything related to
> SELinux labels. | > | > See "man ftpd_selinux".
> 
> Yet again, this is about setting a SELinux context and not removing it, or
> excluding it from SELinux processing entirely.  This is NOT what I want to
> do.  Thankfully, Dan Walsh understood the problem and was able to better
> answer it for me.
> 
> 
> | Depending on your virsion, you should be able to add an entry like |
> /exports to |  /etc/selinux/fixfiles_exclude_dirs | | And fixfiles should
> exclude this directory. (Autorelabel/rpm updates) | | grep
> fixfiles_exclude_dirs /sbin/fixfiles
> 
> However, on CentOS 5.8 or 6.3 this does not seem to exist on any of the
> hosts I have.
> 
> [root@daat ~]# which fixfiles /sbin/fixfiles
> 
> and [root@daat ~]# grep -i exclude /sbin/fixfiles
> 
> returns nothing
> 
> but it does exist in Fedora.
> 
> | Another way to do this is to add a mount option to the directories |
> mounted at | /exports | | mount -o context="..." | | Autorelabel does not
> relabel anything mounted with a context option.
> 
> 
> Ok gotcha!  So since I'm trying to understand this better in the context of
> an NFS file server what would be the "best" aka least intrusive context
> (perhaps most permissive is a better term)?  Perhaps
> unconfined_u:object_r:default_t:s0?  A secondary question is why is it
> that
> 
> semanage fcontext -a -t "<<none>>" "/exports(/.*)?"
> 
> did not work?  Shouldn't this tell SELinux not to bother with the directory
> or is it still walking the file system to find files with labels?  Thanks
> for you help in better utilizing SELinux BTW. ;)
> 
What does matchpathcon /exports/foobar say after you add that rule?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDcwQQACgkQrlYvE4MpobOZsgCdGfyWtL4szZ6UBsheJUZ1SoG4
LOIAoM9GbIwQZSo7fQN050fINdJd6EBT
=n2Qk
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux