[CentOS] Excluding file systems from autorelabel
Daniel J Walsh
dwalsh at redhat.com
Thu Dec 27 21:43:32 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/27/2012 03:08 PM, James A. Peltier wrote:
> ----- Original Message ----- | -----BEGIN PGP SIGNED MESSAGE----- | Hash:
> SHA1 | | On 12/27/2012 06:09 AM, Markku Kolkka wrote: | > 27.12.2012 3:03,
> James A. Peltier kirjoitti: | > | >> I'm really feeling dense today. I
> can't find anywhere in the FTP | >> man | >> page anything related to
> SELinux labels. | > | > See "man ftpd_selinux".
>
> Yet again, this is about setting a SELinux context and not removing it, or
> excluding it from SELinux processing entirely. This is NOT what I want to
> do. Thankfully, Dan Walsh understood the problem and was able to better
> answer it for me.
>
>
> | Depending on your virsion, you should be able to add an entry like |
> /exports to | /etc/selinux/fixfiles_exclude_dirs | | And fixfiles should
> exclude this directory. (Autorelabel/rpm updates) | | grep
> fixfiles_exclude_dirs /sbin/fixfiles
>
> However, on CentOS 5.8 or 6.3 this does not seem to exist on any of the
> hosts I have.
>
> [root at daat ~]# which fixfiles /sbin/fixfiles
>
> and [root at daat ~]# grep -i exclude /sbin/fixfiles
>
> returns nothing
>
> but it does exist in Fedora.
>
> | Another way to do this is to add a mount option to the directories |
> mounted at | /exports | | mount -o context="..." | | Autorelabel does not
> relabel anything mounted with a context option.
>
>
> Ok gotcha! So since I'm trying to understand this better in the context of
> an NFS file server what would be the "best" aka least intrusive context
> (perhaps most permissive is a better term)? Perhaps
> unconfined_u:object_r:default_t:s0? A secondary question is why is it
> that
>
> semanage fcontext -a -t "<<none>>" "/exports(/.*)?"
>
> did not work? Shouldn't this tell SELinux not to bother with the directory
> or is it still walking the file system to find files with labels? Thanks
> for you help in better utilizing SELinux BTW. ;)
>
What does matchpathcon /exports/foobar say after you add that rule?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlDcwQQACgkQrlYvE4MpobOZsgCdGfyWtL4szZ6UBsheJUZ1SoG4
LOIAoM9GbIwQZSo7fQN050fINdJd6EBT
=n2Qk
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list