On Tue, 2009-02-17 at 15:26 +0100, Per Sjoholm wrote: > There are more than one problem described here and the are connected. > One is the basic how to organize data regarding updates, backup and daily task. > One is SELinux protection. > One is this should NOT be a problem in the first place. > (IT was NOT until target/enforing policy) > > I have systems and try to keep OS and data separated. > This makes backup and updating OS easier. > SELinux chamges things. > Normaly: > Partion 1,2 and 3 contain an OS and 4 is an extend partion with my data. > Then I can install a new OS and prepare it before changing over. > Keeping system running, rebooting into the new version. > Reverting to old OS version by a reboot if needed. > > ONLY OS dependent data(config, deamon ..) is under "/" rest is elsewhere > and the physical file system for /dev/sda5 is mounted under /disk_dev/sda5. > with a mount --bind parts of /disk_dev/<part>/<subdir> get mounted i the proper place. > mount --bind /disk_dev/sda5/projects/A /prj/A > the NFS4 exports is an other example > > Some clients use samba and some NFS parts of the data should be available via httpd, bittorrent. > Some of the files are large and can't be duplicated (symlinked)? > Most data belongs to A project and the project belongs to a group > > SELinux > Using symlinks or an alias in httpd does not work as components in the path > is missing lables as they contain data that ftp,samba or httpd is not ment to read. You should be able to label those symlinks or directory components with a type that is readable by those domains, e.g. public_content_t, or add allow rules via a local policy module to allow those domains to read/search whatever type is presently on those symlinks or directory components. > autorelabel only handles filesystem mounts NOT mount --bind > the result of > doing a touch /.autorelabel; reboot > doing a restorecon -R <path> > > will differ as autorelable does only see the physical mount. > > It's possible to construct file context and they will most likely NOT > work reliable for both autorelabel and restorecon If you can't reorganize your actual filesystem layout (e.g using LVM), then perhaps the easiest solution here would be to disable labeling of the actual file tree under /disk_dev and only use restorecon to label the logical file tree. Steps: 1) Exclude /disk_dev from relabeling. semanage fcontext -a -t "<<none>>" "/disk_dev(/.*)?" 2) Relabel your logical file tree. restorecon -R / -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
