On Mon, Aug 20, 2012 at 2:59 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 08/19/2012 04:24 PM, Tom London wrote: >> On Tue, Aug 14, 2012 at 2:21 PM, Dominick Grift <dominick.grift@xxxxxxxxx> >> wrote: >>> You might want to check out the semanage --equiv option. (man semanage) >>> >>> That basically allows you to alias existing file context structures: >>> >>> heres an example from man semanage: >>> >>> For home directories under top level directory, for example /disk6/home, >>> execute the following commands. # semanage fcontext -a -t home_root_t >>> "/disk6" # semanage fcontext -a -e /home /disk6/home # restorecon -R -v >>> /disk6 >>> >>> so in your case you might want to make /data equivalent to / or >>> something >>> >>> semanage fcontext -a -e / /data restorecon -R -v -F /data >>> >>> That should label /data root_t, /data/var var_t, /data/var/lib var_lib_t >>> etc. >>> >>> just as if it was your main file system. >>> >> >> So this sounds exactly what i would like to do with my Luks encrytped USB >> back up drive. >> >> Unfortunately, I'm stumbling across the fact that the drive is >> 'automagically' mounted (when I login or power it on), and it gets mounted >> on /run/media/tbl/Backup1TB: >> >> /dev/mapper/luks-94a9d7d7-f819-4c2c-b735-81bb28db0426 on >> /run/media/tbl/Backup1TB type ext4 >> (rw,nosuid,nodev,relatime,seclabel,data=ordered,uhelper=udisks2) >> >> The 'semanage -e' command spews: >> >> [root@tlondon ~]# semanage fcontext -a -e / /run/media/tbl/Backup1TB/X200 >> /sbin/semanage: File spec /run/media/tbl/Backup1TB/X200 conflicts with >> equivalency rule '/run /var/run'; Try adding >> '/var/run/media/tbl/Backup1TB/X200' instead [root@tlondon ~]# >> >> Appears that '/var/run/media' doesn't exist on my system (I guess /run and >> /var/run are not really 'equivalent'?). >> >> This an issue with my system (e.g., do I need an explicit entry in fstab or >> some such)? With the scaffolding that deals with /run and /var/run? Other? >> Should this work? >> >> Thanks, tom >> > Yes it is telling you about a double equivalence. systemd guys have suggested > that we reverse the equivalence. since /var/run does not really exist anymore, > they suggested we move to /var/run -> /run rather then what we currently have > /run -> /var/run. My concern with this switch would be if users/package > developers had already added file context for /var/run > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAlAyCpMACgkQrlYvE4MpobO5wgCfdRVrB/xGOiHjCME8jX9wUYOC > sw4AoOVSv9uAKByYi7c0UVNn2hwX5k/E > =x56+ > -----END PGP SIGNATURE----- So I tried this to work around the 'one-level equivalence detection': [root@tlondon ~]# mount --bind /run/media/tbl/Backup1TB/X200/ /mnt [root@tlondon ~]# semanage fcontext -a -t root_t /mnt [root@tlondon ~]# semanage fcontext -a -e / /mnt [root@tlondon ~]# restorecon -v -R /mnt restorecon reset /mnt context system_u:object_r:admin_home_t:s0->system_u:object_r:root_t:s0 restorecon reset /mnt/.tcshrc context staff_u:object_r:admin_home_t:s0->staff_u:object_r:etc_runtime_t:s0 restorecon reset /mnt/run context staff_u:object_r:admin_home_t:s0->staff_u:object_r:var_run_t:s0 restorecon reset /mnt/enable-unconfined context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:etc_runtime_t:s0 restorecon reset /mnt/.lesshst context staff_u:object_r:admin_home_t:s0->staff_u:object_r:etc_runtime_t:s0 <<<<<SNIP>>>>> <<<<<Lots of relabelling here>>>>> restorecon reset /mnt/var/cache/krb5rcache context staff_u:object_r:var_t:s0->staff_u:object_r:krb5_host_rcache_t:s0 restorecon reset /mnt/var/cache/jetty context system_u:object_r:var_t:s0->system_u:object_r:jetty_cache_t:s0 restorecon reset /mnt/var/cache/jetty/temp context system_u:object_r:var_t:s0->system_u:object_r:jetty_cache_t:s0 restorecon reset /mnt/var/cache/httpd context staff_u:object_r:var_t:s0->staff_u:object_r:httpd_cache_t:s0 restorecon reset /mnt/var/cache/httpd/proxy context staff_u:object_r:var_t:s0->staff_u:object_r:httpd_cache_t:s0 [root@tlondon ~]# I checked a few relabelled files, and the contexts seem correct, for example: restorecon reset /mnt/usr/share/jetty/bin/jetty.sh context staff_u:object_r:bin_t:s0->staff_u:object_r:httpd_exec_t:s0 I should have used something other than '/mnt', of course. And since the drive is not persistently mounted, I'm thinking of wrapping the 'rsync' command with 'semanage' commands that temporarily add/delete the mappings. Am I correct in assuming that the way to do this is (presuming bind mount the mounted path to '/backup'): semanage fcontext -a -t root_t /backup semanage fcontext -a -e / /backup rsync ..... lots of options semanage fcontext -d -e / /backup semanage fcontext -d -t root_t /backup That seem right? Thanks! tom -- Tom London -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
