On Sat, 2017-11-25 at 19:10 +0100, Gionatan Danti wrote: > Being a regular user of selinux, I often face situations where some > common directories (es: /var/log or /var/lib) needs to be redirected > to > other partitions/volumes. > > I very simple approach, without impacting selinux at all, is to mount > a > volume in the precise path I need to replace - ie mount > /dev/vg_test/lv_lib in /var/lib. However, this is a > one-volume-for-directory approach and I would like to avoid it. > > The other possibility is to create single big volume with multiple > directories, mount it, and > > 1) symlink the original dir (ie: /var/log) to the new one (ie: > /mnt/volume/var/log); > 2) use a bind mount to re-mount the destination dir > (/mnt/volume/var/log) on the original one (/var/log). > > The symlink approach is self-explaining, as anyone listing the > original > directory will immediately notice it. However, it sometime require > extensive customization of the selinux policy, a thing I try hard to > avoid. > > The bind mount approach is somewhat simpler from selinux standpoint, > but > it much less discoverable by a simple "ls". > > What do you feel is the preferred approach? I am missing something? > Thanks. I prefer bind mounts (along with file context equivalence to ensure that the source directory is correctly labeled), but there are tradeoffs of course. WRT to the impact on SELinux policy, this perhaps points to an unnecessary fragility in policy that could be addressed through better macros/interfaces. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
