Re: Symlink or bind mount?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 27/11/2017 19:47, Stephen Smalley wrote:

I prefer bind mounts (along with file context equivalence to ensure
that the source directory is correctly labeled), but there are
tradeoffs of course.

WRT to the impact on SELinux policy, this perhaps points to an
unnecessary fragility in policy that could be addressed through better
macros/interfaces.

Hi all,
I bump this old thread because I have troubles relocating MongoDB due to its selinux policy dening symlink access.

Goal: to relocate /var/lib/mongo to /tank/graylog/var/lib/mongo/ with minimal alteration to the original selinux policy.

What I did:
semanage fcontext -a -e /var/lib/mongo /tank/graylog/var/lib/mongo
mv /var/lib/mongo /tank/graylog/var/lib/mongo
ln -s /tank/graylog/var/lib/mongo /var/lib/mongo
restorecon /var/lib/mongo
systemctl restart mongod

Result:
MongoDB does not start. Issuing "cat /var/log/audit/audit.log | audit2allow" show the following error: "allow mongod_t mongod_var_lib_t:lnk_file read;"

Questions:
- apart from reconfiguring MongoDB to directly point to the new location, what else I can do (short to create a custom selinux policy) to allow access to /var/lib/mongo symlink? - why is lnk_file read denied by default in some policies (ie: MongoDB, MySQL, libvirt, etc)?

Thanks.


--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti@xxxxxxxxxx - info@xxxxxxxxxx
GPG public key ID: FF5F32A8
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux