Last I remember, nothing which took a full range component could be properly supported in a module. So the answer is 'that's just how it is in the toolchain'. But no inherent reason without a little coding it couldn't be different. On Thu, Mar 28, 2013 at 10:13 AM, David Quigley <dpquigl@xxxxxxxxxxxxxxx> wrote: > On 03/26/2013 14:56, Daniel J Walsh wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 03/26/2013 12:56 PM, Christopher J. PeBenito wrote: >>> >>> On 03/25/13 17:14, Rob Shelley wrote: >>>> >>>> I am evaluating OCFS2 on a CentOS 6.3 cluster and have run into a little >>>> bit of a snag with SELinux. After the OCFS2 partition is mounted no >>>> writes can be performed to the shared device from either node because >>>> they are being blocked by SELinux. The core of the issue is that the >>>> CentOS default policy does not list OCFS2 as a filesystem that supports >>>> xattrs in filesystem.te. It's a one line fix: >>>> >>>> fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0); >>>> >>>> However, it would seem that the only way to implement this change in >>>> filesystem.te is by rebuilding the base policy. (I have not found a way >>>> to just reload the filesytem module of the base policy.) And even if >>>> there were an easy way to reload just the filesystem module of the base >>>> policy I believe this would be overwritten if an update is released. >>>> >>>> So, I was wondering if there was a way to incorporate this line into a >>>> module, say ocfs2.te. My initial attempts have failed, but I am >>>> assuming >>>> that is because I do not have the correct dependencies listed in the >>>> require section. >>>> >>>> Any suggestions? >>> >>> >>> Unfortunately you can only add fs_use statements to the base module, so >>> you'd have to rebuild the base module. >>> >> You should be able to mount the file system with a single label. >> >> mount -o context="system_u..." >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.13 (GNU/Linux) >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iEYEARECAAYFAlFR70gACgkQrlYvE4MpobNnFACglqXTfagTP1SGv4B48u40GcAR >> v6EAni59zLo5gElDUCDuVueMXSI/0Ek2 >> =zKaF >> -----END PGP SIGNATURE----- >> >> -- >> This message was distributed to subscribers of the selinux mailing list. >> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx >> with >> the words "unsubscribe selinux" without quotes as the message. > > > > Is there a reason that fs_use statements need to be in the base module other > than its just how it is in the kernel and tool chain? Is that something that > could be changed? > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx > with > the words "unsubscribe selinux" without quotes as the message. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
