On Fri, Dec 12, 2008 at 06:36:42AM -0800, Mike Cloaked wrote: > Chuck Anderson-7 wrote: > > No, this would be bad. Fresh installs of F9 or F10 work just fine > > with SELinux enabled as a desktop system, as long as you don't try to > > integrate older filesystems or NFS as the OP stated. Even /home > > migrates cleanly with just a simple restorecon -R /home in most cases. > > In my case I have a separate /opt partition containing a /home directory > which is not touched during installs. > In this case I have to link in /opt/Local/home on the /opt partition to > /home on the root partition to get the user areas onto the new system. Bind mounts are preferred: mount --bind /opt/Local/home /home You can add this to /etc/fstab. It goes something like this, but I might have the exact syntax wrong: /opt/Local/home /home bind > In the old days moving /home out of the way and symlinking /opt/Local/home > to /home was all that was necessary to get back running for the users (apart > from restoring the user lines in /etc/passwd and related files). With > SElinux enabled this does not work as far as I can tell, and it is necessary > to bind mount /home to /opt/Local/home - but I am not sure if then a > restorecon will fix everything up? I then had to go carefully through all Yes, once bind mounted, it acts exactly like it is mounted on /home. > the directories to check contexts were right, and I do now have two F9 > machines and two F10 machines running with SElinux enabled using this > technique... but it depends what else is stored on the original /opt > partition apart from /opt/Local/other_stuff and /opt/otherstuff ! Why? Bind mounts only graft the subtree to the new location. The other stuff in /opt is untouched (and the original /opt/Local/home is still there too). If you want to make non-standard stuff in /opt work, then you will need to write policy or at least file label rules with "semanage fcontext". > I expect that the amount of work over the years in getting programs and data > stored in such partitions is huge and many old hands will only contemplate > transitioning to SElinux if that pain is minimised. I made a conscious > decision to go that route and it did add a lot of hours but I am now much > happier that I now have SElinux enabled machines - but it is certainly a > learning curve. Agreed. It is easiest to stick with standard stuff, Fedora-maintained packages installed in correct FHS-locations, etc. Then you can benefit from the work others have done, instead of having to roll-your-own all the time and struggle to keep up with system changes. That's the point of a distribution, isn't it? -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
