-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/01/2012 08:10 AM, Bill Peck wrote: > On 06/01/2012 06:14 AM, Lennart Poettering wrote: >> On Thu, 31.05.12 15:44, Daniel J Walsh (dwalsh@xxxxxxxxxx) wrote: >> >> Heya, >> >>> We have added file trans by name rules to policy to fix a lot of >>> files/directories being created with the correct label. >>> >>> We have problems on Distribution updates (F16-F17) though, where there >>> is a files/directories in the homedir that are mislabeled. >>> >>> We have "restorecond -u" which we run in F15/F16 which examines the >>> homedir and fixes any files directories it finds mislabeled in ~. If >>> it finds a dir which is mislabeled, it will relabel the directory and >>> all of its children. We have turned this tool off by default on the >>> desktop in F17, because filename transition rules are doing a pretty >>> good job of maintaining the labels in the homedir. But this tool never >>> did a great job of fixing mislabeled subdirs, if the top level >>> directory in the homedir was labeled correctly. You can enable this >>> tool with /etc/xdg/autostart/restorecond.desktop >>> >>> One possible fix to this would be to force a system relabel on >>> everything on upgrades, while this would fix the labels, it is >>> considered to time consuming. (restorecon -R -v / or touch >>> /.autorelabel) >>> >>> Another option would be to just relabel /home (# restorecon -R -v >>> /home) at upgrade time. But this would also be time consuming. And >>> would not catch the cases where the homedir is not in /home. >> I am strongly for this option. Allowing the user to login while the >> relabel is still in progress (like it would with restorecond, right?) >> sounds like a really bad idea... I mean, incorrect labels when used just >> lead to more incorrect labels, no? And incorrect labels also result in >> access errors? Both sound like something to avoid... >> >> To me it appears that preupgrade should really take care of this on all >> Fedora release updates. >> >> If the relabelling is slow, maybe we can do something about that? Do you >> know why it is slow? Is this more IO bound? Or is the label lookup slow >> and this is CPU bound? If the latter it might be possible to parallelize >> the relabelling? >> >> (I wouldn't care too much about homedirs outside of /home. A not in the >> release notes for such cases should suffice) >> >> Lennart >> > > How does this affect home dirs which are served over nfs? It would not, restorecon checks to see if the file system supports SELinux labels, if not it exits immediately. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/IwLkACgkQrlYvE4MpobNAAQCfS/CgjBpA/Lpa9Jq5PK836MAw i9EAn1woncYuNKpCP8XILq1FtK3Y+PEq =47g+ -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
