Re: .autorelabel on mounted filesystems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 02 Sep 2010 10:40:05 -0400
Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 08/27/2010 04:14 AM, Paul Howarth wrote:
> > On 27/08/10 07:12, Daniel B. Thurman wrote:
> >>
> >> I have several versions of root distro partitions of which I do
> >> mount via fstab, but of course only one / and /boot partition
> >> is to be defined for the version to be booted.
> >>
> >> What I would like to know is, if I do an /.autorelabel,
> >> for one boot/root partition, does this mean that every
> >> mounted filesystem that appears in /etc/fstab also gets
> >> relabeled?  If so, this is not what I want especially if
> >> other root distro partitions are being mounted for example,
> >> say: /md/{distro1, distro2, ...}
> >>
> >> So, How do I get around this?  I could comment out
> >> all entries in /etc/fstab except / and /boot (plus the
> >> required entries), touch /.autorelabel, reboot, and once
> >> relabeling is completed, then add back in the commented
> >> out fstab entries, then issue a mount -a. Could I add an option
> >> entry say: NO_RELABEL to certain fstab entries?
> >>
> >> Since I was introduced to the /media since F9, I never could
> >> figure out how to add mounted "media" filesystems, which
> >> is why I added them instead to fstab.
> >>
> >> How do I solve this issue?
> > 
> > I create a local policy module for this sort of thing, with a file 
> > contexts entry like this:
> > 
> > # Don't touch stuff here
> > /srv/homes(/.*)?					<<none>>
> > 
> > So you could have:
> > ::::::::::::::
> > otherdistros.fc
> > ::::::::::::::
> > /md/distro1(/.*)?		<<none>>
> > /md/distro2(/.*)?		<<none>>
> > 
> > ::::::::::::::
> > otherdistros.te
> > ::::::::::::::
> > policy_module(otherdistros, 0.0.1)
> > 
> > Building and installing that module should do the trick.
> > 
> > Paul.
> > --
> > selinux mailing list
> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> I have blogged on this.
> 
> http://danwalsh.livejournal.com/38157.html

I used to use semanage for this but I find using local policy modules
better for maintainability - it's easier to add, remove, and change
multiple default contexts in one go and it's easy to see what I have
that's different from the stock policy.

Paul.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux