-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/07/2013 10:21 AM, Mike Pinkerton wrote: > > On 7 May 2013, at 02:04, yersinia wrote: > >> Restorecond perhaps can help here >> >> best >> >> 2013/5/6, Manuel Wolfshant <wolfy@xxxxxxxxxxxxxxxxxx>: >>> On 05/06/2013 10:57 PM, Mike Pinkerton wrote: >>>> >>>> On 6 May 2013, at 15:25, Daniel J Walsh wrote: >>>> >>>>> We should bring this up for discussion on the mail list, but I >>>>> guess until we get labeling NFS we can not do anything about it. >>>>> The server does not know what the label of the client process is >>>>> running with. >>>> >>>> The server does the right thing some of the time. In the same home >>>> directory, I'll see some files with "unconfined_u" and others with >>>> "system_u". >>>> >>>> I suppose until y'all figure this out, I'll set up a cron job to run >>>> "restorecon -FR /srv" on the file server every night. >>> As an alternative workaround you could rely on inotify to trigger a >>> relabel each time a file is created > > > My understanding is that inotify is not itself recursive, although > "inotifywait -r" will recursively create inotify watches on up to 8192 > subdirectories. > > My NFS-mounted home directories are in a tree with over 2,400 > subdirectories. So inotifywait should work but will probably take > considerable resources. > > From the man page, I assume that restorecond will use inotify to watch > files listed in /etc/selinux/restorecond.conf. Is restorecond recursive > like inotifywait? Will adding "/srv/exports/*" to restorecond.conf cause > restorecond to recursively watch all 2,400+ subdirectories? > > Thanks for all the great workaround ideas. > No restorecond will not do this. It is not recursive, and I think you would have considerable problems with it as far as resources. Best to run restorecon periodically. But again from an SELinux point of view there is no difference between system_u and unconfined_u, no policy that Fedora ships cares about the SELinux User componant on files on disk. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGJDugACgkQrlYvE4MpobM4QgCeLfNKyWB7pfHxI6ji997y9LXS oekAnipbjTAHVMpWWQ3z/dS5ADJ3xQHR =hJI6 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux