You might want to check out the semanage --equiv option. (man semanage)
That basically allows you to alias existing file context structures:
heres an example from man semanage:
For home directories under top level directory, for
example /disk6/home,
execute the following commands.
# semanage fcontext -a -t home_root_t "/disk6"
# semanage fcontext -a -e /home /disk6/home
# restorecon -R -v /disk6
so in your case you might want to make /data equivalent to / or
something
semanage fcontext -a -e / /data
restorecon -R -v -F /data
That should label /data root_t, /data/var var_t, /data/var/lib var_lib_t
etc.
just as if it was your main file system.
On Tue, 2012-08-14 at 17:04 -0400, Edward Harvey wrote:
> I'm managing an amazon virtual machine, with 8G / partition, and a
> larger secondary storage device attached. I enabled selinux, and I'm
> trying to make things work (and keep things secure) while migrating
> some things such as the ldap & mysql directories to the second device.
>
>
>
> As far as I know, simply extending the / partition isn't an option
> (not LVM) ... Conceivably I could just make a clone larger machine,
> but there are a lot of advantages to having the separate storage
> device... which can be LVM, and prevents the / filesystem from getting
> filled up, and can be detached/reattached to other machines, etc etc.
> So I'm trying like heck to keep the second storage device separate.
>
>
>
> Here's the problem:
>
>
>
> I mount /data, and now I've got to move & preserve things like
> the /var/lib/mysql directory to a subdir of /data, while preserving
> selinux types and everything. I started out by simply mimicking the /
> structure ...
>
> sudo mount /data
>
> sudo mkdir -p /data/var/lib
>
> sudo chown --reference=/ /data
>
> sudo chcon --reference=/ /data
>
> sudo chmod --reference=/ /data
>
> sudo chown --reference=/var /data/var
>
> sudo chcon --reference=/var /data/var
>
> sudo chmod --reference=/var /data/var
>
> sudo chown --reference=/var/lib /data/var/lib
>
> sudo chcon --reference=/var/lib /data/var/lib
>
> sudo chmod --reference=/var/lib /data/var/lib
>
> And finally
>
> cd /var/lib ; sudo tar cpf - --selinux mysql |
> (cd /data/var/lib ; sudo tar xpf - --selinux) ; cd -
>
>
>
> I understand that chcon is not persistent...
>
> And after all the above was done, I meticulously examined all the
> contexts of all those directories and confirmed they do match the
> original...
>
>
>
> Unfortunately, as soon as I start mysqld, the context
> of /data/var/lib/mysql gets reset. I don't know how or why that is
> happening, but I presume it's because I haven't set the fcontext.
> So ...
>
>
>
> I want to write a script that walks through the whole /var/lib/mysql
> directory, and creates matching fcontexts for /data/var/lib/mysql.
> Better yet ... I would like to create fcontext applied to /data which
> is a complete replica of /
>
>
>
> Here is where I'm getting stuck. I can do "semanage fcontext -l" and
> I see all the information, but it's not in a format that's suitable to
> modify and feed back into semanage. I can do "semanage -o -" but it
> only says "fcontext -D" which is not helpful.
>
>
>
> I can't seem to find any combination of commands that will allow me to
> get all the fcontexts of / (or a relatively large subdir of /) and
> modify them with the /data prefix to feed back into semanage.
>
>
>
> Help please?
>
>
>
> Thanks...
>
>
>
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
