-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/02/2010 01:45 PM, Daniel B. Thurman wrote:
> On 09/02/2010 07:40 AM, Daniel J Walsh wrote:
>> On 08/27/2010 04:14 AM, Paul Howarth wrote:
>>> On 27/08/10 07:12, Daniel B. Thurman wrote:
>>>>
>>>> I have several versions of root distro partitions of which I do
>>>> mount via fstab, but of course only one / and /boot partition
>>>> is to be defined for the version to be booted.
>>>>
>>>> What I would like to know is, if I do an /.autorelabel,
>>>> for one boot/root partition, does this mean that every
>>>> mounted filesystem that appears in /etc/fstab also gets
>>>> relabeled? If so, this is not what I want especially if
>>>> other root distro partitions are being mounted for example,
>>>> say: /md/{distro1, distro2, ...}
>>>>
>>>> So, How do I get around this? I could comment out
>>>> all entries in /etc/fstab except / and /boot (plus the
>>>> required entries), touch /.autorelabel, reboot, and once
>>>> relabeling is completed, then add back in the commented
>>>> out fstab entries, then issue a mount -a. Could I add an option
>>>> entry say: NO_RELABEL to certain fstab entries?
>>>>
>>>> Since I was introduced to the /media since F9, I never could
>>>> figure out how to add mounted "media" filesystems, which
>>>> is why I added them instead to fstab.
>>>>
>>>> How do I solve this issue?
>>
>>> I create a local policy module for this sort of thing, with a file
>>> contexts entry like this:
>>
>>> # Don't touch stuff here
>>> /srv/homes(/.*)? <<none>>
>>
>>> So you could have:
>>> ::::::::::::::
>>> otherdistros.fc
>>> ::::::::::::::
>>> /md/distro1(/.*)? <<none>>
>>> /md/distro2(/.*)? <<none>>
>>
>>> ::::::::::::::
>>> otherdistros.te
>>> ::::::::::::::
>>> policy_module(otherdistros, 0.0.1)
>>
>>> Building and installing that module should do the trick.
>>
>>> Paul.
>>> --
>>> selinux mailing list
>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>> I have blogged on this.
>>
>> http://danwalsh.livejournal.com/38157.html
>
> Yes, its good to know, and it should help users who
> are faced with similar situations.
>
> My choice was to update only the fstab file for each and
> every mount entry. The only question in my mind is by
> having different fstabs; could relabels occur depending on
> which OS is booted or are the context a mask, and leaves
> the "actual unlying context" alone?
>
> For example:
>
> 1) F12: /etc/fstab:
> LABEL=RF12D1 / ext4
> defaults 1 1
> LABEL=BF12D1 /boot ext4
> defaults 1 2
> [...]
> LABEL=RF13D3 /md/RF13D3 ext4
> context=system_u:object_r:root_t:s0,defaults 0 0
>
> 2) F13: /etc/fstab:
> LABEL=RF13D3 / ext4
> defaults 1 1
> LABEL=BF13D3 /boot ext4
> defaults 1 2
> [...]
> LABEL=RF12D1 /md/RF12D1 ext4
> context=system_u:object_r:root_t:s0,defaults 0 0
>
> Does this mean that if I boot F12, RF13D3 / partition would be
> relabeled as root_t, and if I boot F13, RF12D1 / partition would
> be relabled as root_t? I note that the entire mounted /md/X file
> contents are seen as root_t context. Could this cause any problems?
>
No no relabeling will happen. Although if while booted into F12 you
created a file anywhere within the F13 tree, the file might get created
with the root_t label.
> It is interesting to note that for /md/X/ mounted filesystem, a root
> user cannot change the / files, whereas / subdirectory files can be
> changed/modified.
>
> The workaround is to unmount the /md/X filesystem, remounting it
> as default, make the change, unmount again, and then mount -a OR
> simply reboot to the OS and make the changes in the normal way.
>
That is strange, what AVC are you seeing?
> But as it is, it seems to work well, and more importantly, only / and
> /boot are relabeled if /.autorelabel is touched; all other /md mounts
> are not traversed during the auto-relabeling phase AFAIK because
> all I see is stars (*).
>
> Thanks for your help!
> Dan
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyAAHYACgkQrlYvE4MpobPiTgCguoZQOP1r6V8aEdJ9A9TgTW8l
v0AAn2Gh2C/OqjrI4r6/FXMcQXGf3Iuy
=l17l
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
