I'm managing an amazon virtual machine, with 8G / partition, and a larger secondary storage device attached. I enabled selinux, and I'm trying to make things work (and keep things secure) while migrating some things such as the ldap & mysql directories to the second device. As far as I know, simply extending the / partition isn't an option (not LVM) ... Conceivably I could just make a clone larger machine, but there are a lot of advantages to having the separate storage device... which can be LVM, and prevents the / filesystem from getting filled up, and can be detached/reattached to other machines, etc etc. So I'm trying like heck to keep the second storage device separate. Here's the problem: I mount /data, and now I've got to move & preserve things like the /var/lib/mysql directory to a subdir of /data, while preserving selinux types and everything. I started out by simply mimicking the / structure ... sudo mount /data sudo mkdir -p /data/var/lib sudo chown --reference=/ /data sudo chcon --reference=/ /data sudo chmod --reference=/ /data sudo chown --reference=/var /data/var sudo chcon --reference=/var /data/var sudo chmod --reference=/var /data/var sudo chown --reference=/var/lib /data/var/lib sudo chcon --reference=/var/lib /data/var/lib sudo chmod --reference=/var/lib /data/var/lib And finally cd /var/lib ; sudo tar cpf - --selinux mysql | (cd /data/var/lib ; sudo tar xpf - --selinux) ; cd - I understand that chcon is not persistent... And after all the above was done, I meticulously examined all the contexts of all those directories and confirmed they do match the original... Unfortunately, as soon as I start mysqld, the context of /data/var/lib/mysql gets reset. I don't know how or why that is happening, but I presume it's because I haven't set the fcontext. So ... I want to write a script that walks through the whole /var/lib/mysql directory, and creates matching fcontexts for /data/var/lib/mysql. Better yet ... I would like to create fcontext applied to /data which is a complete replica of / Here is where I'm getting stuck. I can do "semanage fcontext -l" and I see all the information, but it's not in a format that's suitable to modify and feed back into semanage. I can do "semanage -o -" but it only says "fcontext -D" which is not helpful. I can't seem to find any combination of commands that will allow me to get all the fcontexts of / (or a relatively large subdir of /) and modify them with the /data prefix to feed back into semanage. Help please? Thanks... |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
