On Wed, Jan 12, 2011 at 7:07 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
I would like to thank you all for the suggestions.
In rhel5, I changed my fstab this way:
LABEL=/home /home ext4 defaults,context=user_u:object_r:user_home_t:s0 1 2
All the files labelled "unconfined_u:object_r:user_home_t:s0" in F14 are seen
as "user_u:object_r:user_home_t:s0" in rhel5, and my /var/log/mesages is not no longer
full of denials.
However, even allowing httpd to read user content on rhel5 (files labelled user_home_t, I guess),
I still get some warnings from selinux troubleshooter. Does this flag really work on rhel5?
Does anyone think that using nfs_t (and setsebool -P use_nfs_home_dirs 1) would make any difference?
Also, does anyone know whether rhel6 will be more "Fedora like", from an selinux point of view?
Cheers.
-- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
nfs_t, i think so Stephens solution is probably better? I would hope inOn 01/12/2011 04:03 PM, Paul Howarth wrote:
> On Wed, 12 Jan 2011 13:02:21 -0500
> Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>> On 01/12/2011 06:29 AM, Paulo Cavalcanti wrote:
>>> Hi,
>>>
>>> I have two HDs on my computer: one with rhel5 5.5 and the other with
>>> fedora 14.
>>> Both systems share some directories located in a common /home,
>>> mainly used by the httpd process.
>>>
>>> The problem is that selinux in fedora 14 uses "unrestricted_u" by
>>> default for all users, which rel5 does not understand,
>>> and any file labeled that way is treated as "unlabeled_t" in rhel5.
>>>
>>> I tried to relabel all files in Fedora 14 using "chcon -R -u user_u
>>> -t user_home_t" , for instance,
>>> but every new file is still created as "unrestricted_u".
>>>
>>> I know very little about selinux, and I would like to know how to
>>> force all files in F14 to be user_u,
>>> but keeping the user owning those files, unrestricted.
>>>
>>> Is that possible? Is there a better solution for not having tons of
>>> denials in rhel5?
>>>
>>> Thanks.
>>>
>>> --
>>> Paulo Roma Cavalcanti
>>> LCG - UFRJ
>>>
>> One solution would be to mount with a context on one of the platforms.
>>
>> On RHEL5 mount the users homedir with a context of nfs_t, and set the
>> boolean to say allow nfs homedirs
>>
>>
>> mount -o context="system_u:object_r:nfs_t:s0" /dev/ABC /home
>> setsebool -P use_nfs_home_dirs 1
>
> What happens with newly-created files whilst booted in RHEL-5 in this
> case? What will Fedora 14 see them as?
>
> Paul.
stephens solution they would be labeled user_home_t. But it would
probably be smart to run restorecon -R -v ~/ When you login on F14
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
I would like to thank you all for the suggestions.
In rhel5, I changed my fstab this way:
LABEL=/home /home ext4 defaults,context=user_u:object_r:user_home_t:s0 1 2
All the files labelled "unconfined_u:object_r:user_home_t:s0" in F14 are seen
as "user_u:object_r:user_home_t:s0" in rhel5, and my /var/log/mesages is not no longer
full of denials.
However, even allowing httpd to read user content on rhel5 (files labelled user_home_t, I guess),
I still get some warnings from selinux troubleshooter. Does this flag really work on rhel5?
Does anyone think that using nfs_t (and setsebool -P use_nfs_home_dirs 1) would make any difference?
Also, does anyone know whether rhel6 will be more "Fedora like", from an selinux point of view?
Cheers.
Paulo Roma Cavalcanti
LCG - UFRJ
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
