Re: As we develop SELinux we are adding new labels to homedir content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06/01/2012 06:14 AM, Lennart Poettering wrote:

On Thu, 31.05.12 15:44, Daniel J Walsh (dwalsh@xxxxxxxxxx) wrote:

Heya,


We have added file trans by name rules to policy to fix a lot of
files/directories being created with the correct label.

We have problems on Distribution updates (F16-F17) though, where there is a
files/directories in the homedir that are mislabeled.

We have "restorecond -u"  which we run in F15/F16 which examines the homedir
and fixes any files directories it finds mislabeled in ~.  If it finds a dir
which is mislabeled, it will relabel the directory and all of its children.
We have turned this tool off by default on the desktop in F17, because
filename transition rules are doing a pretty good job of maintaining the
labels in the homedir.  But this tool never did a great job of fixing
mislabeled subdirs, if the top level directory in the homedir was labeled
correctly.
You can enable this tool with /etc/xdg/autostart/restorecond.desktop

One possible fix to this would be to force a system relabel on everything on
upgrades, while this would fix the labels, it is considered to time consuming.
(restorecon -R -v / or touch /.autorelabel)

Another option would be to just relabel /home (# restorecon -R -v /home) at
upgrade time.  But this would also be time consuming. And would not catch the
cases where the homedir is not in /home.

I am strongly for this option. Allowing the user to login while the
relabel is still in progress (like it would with restorecond, right?)
sounds like a really bad idea... I mean, incorrect labels when used just
lead to more incorrect labels, no? And incorrect labels also result in
access errors? Both sound like something to avoid...

To me it appears that preupgrade should really take care of this on all
Fedora release updates.

If the relabelling is slow, maybe we can do something about that? Do you
know why it is slow? Is this more IO bound? Or is the label lookup slow
and this is CPU bound? If the latter it might be possible to parallelize
the relabelling?

(I wouldn't care too much about homedirs outside of /home. A not in the
release notes for such cases should suffice)

Lennart



How does this affect home dirs which are served over nfs?
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux