On 7 May 2013, at 02:04, yersinia wrote:
Restorecond perhaps can help here
best
2013/5/6, Manuel Wolfshant <wolfy@xxxxxxxxxxxxxxxxxx>:
On 05/06/2013 10:57 PM, Mike Pinkerton wrote:
On 6 May 2013, at 15:25, Daniel J Walsh wrote:
We should bring this up for discussion on the mail list, but I
guess
until we
get labeling NFS we can not do anything about it. The server does
not know
what the label of the client process is running with.
The server does the right thing some of the time. In the same home
directory, I'll see some files with "unconfined_u" and others with
"system_u".
I suppose until y'all figure this out, I'll set up a cron job to run
"restorecon -FR /srv" on the file server every night.
As an alternative workaround you could rely on inotify to trigger a
relabel each time a file is created
My understanding is that inotify is not itself recursive, although
"inotifywait -r" will recursively create inotify watches on up to
8192 subdirectories.
My NFS-mounted home directories are in a tree with over 2,400
subdirectories. So inotifywait should work but will probably take
considerable resources.
From the man page, I assume that restorecond will use inotify to
watch files listed in /etc/selinux/restorecond.conf. Is restorecond
recursive like inotifywait? Will adding "/srv/exports/*" to
restorecond.conf cause restorecond to recursively watch all 2,400+
subdirectories?
Thanks for all the great workaround ideas.
--
Mike
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
