On Mon, 18 Apr 2005 20:36:40 +1000, Russell Coker said: > On Tuesday 22 February 2005 12:15, Valdis.Kletnieks@xxxxxx wrote: > > At least at one point in time, I was seeing random avc errors on mount > > points that made absolutely no sense - I'd do an 'ls -Z' and it would look > > OK. Finally twigged in that I needed to unmount the file system, relabel > > the *directory*, and then remount. Seem to remember /usr/share and > > /usr/local biting me that way (/, /usr, /usr/local, and /usr/share are 4 > > different file systems on my box). > > In those cases a dontaudit rule will usually do the job. If the file system > is not mounted then there's nothing that the application can usefully do > under the mount point and usually ENOENT and EACCESS usually get the same > code paths in most applications that try to open files. In my case, actually labelling the directories correctly was the better fix. What I got bit by was that all previous relabels had happened with filesystems mounted - so (for instance) the directory seen as /usr got labelled as usr_t. During early boot, I'd have a complaint about it being something else, I'd go back and check it, and it was usr_t. Finally brought the box up in very single-user, unmounted /usr - and the underlying directory *wasn't* usr_t... ;) Found out /boot and /var had similar issues, cleared up by relabelling the mountpoint directories... Not sure if/how to fix this for the general case - it almost requires multiple passes - first labelling / (so mountpoint dirs like /boot and /usr and /var get labelled), then mounting those filesystems and labelling them, then repeating for any subdirs (on my laptop, /usr/share and /usr/local bit me, on another box that hosts a database it's /var/lib/mysql). (For all I know, the current 'filesystems' RPM gets this all correct for new systems and boot-from-CD based upgrades, and I got bit only because I've just 'rpm -Fvh'-ed all the way along, and not done a clean install). Personally, I'm not thrilled by the idea of sticking in dontaudit rules to quiet complaints at boot time that are caused by directories that are mislabelled. Thoughts?
Attachment:
pgpGQZHnDXeuo.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
