On Fri, Jul 26, 2013 at 06:54:16AM -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 07/26/2013 03:40 AM, Florian Weimer wrote: > > On 07/25/2013 08:55 PM, Daniel J Walsh wrote: > > > >> Labels are applied based on the client rules. Which does bring up an > >> interesting idea of what happens if the server initiates a relabel. > > > > Can we make sure that there's a good chance that the NFS exports reside > > under a tree that is not subject to relabeling? Otherwise, that operation > > would be rather destructive and even insecure. > > > I don't think so. In the case of remote users directory this is likely but I > don't see anyway we can get an server admin to put exported content under a > directory path that is labeled correctly on both the client and server. Of > course we can recommend this, or explain /etc/selinux/fixfiles_exclude_dirs > which he can setup to prevent this. > <nod> I think that it may not be immediately obvious to admins what all the caveats to using this are. Having good documentation of the implications of the Change and pointing to that in the Release Notes seems very important to inform admins of what to expect. Just for the technical aspect of the change, this seems like a great improvement :-) -Toshio
Attachment:
pgpvbW2oikBHn.pgp
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
