-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/27/2012 03:08 PM, James A. Peltier wrote:
----- Original Message ----- | -----BEGIN PGP SIGNED MESSAGE----- | Hash: SHA1 | | On 12/27/2012 06:09 AM, Markku Kolkka wrote: | > 27.12.2012 3:03, James A. Peltier kirjoitti: | > | >> I'm really feeling dense today. I can't find anywhere in the FTP | >> man | >> page anything related to SELinux labels. | > | > See "man ftpd_selinux".
Yet again, this is about setting a SELinux context and not removing it, or excluding it from SELinux processing entirely. This is NOT what I want to do. Thankfully, Dan Walsh understood the problem and was able to better answer it for me.
| Depending on your virsion, you should be able to add an entry like | /exports to | /etc/selinux/fixfiles_exclude_dirs | | And fixfiles should exclude this directory. (Autorelabel/rpm updates) | | grep fixfiles_exclude_dirs /sbin/fixfiles
However, on CentOS 5.8 or 6.3 this does not seem to exist on any of the hosts I have.
[root@daat ~]# which fixfiles /sbin/fixfiles
and [root@daat ~]# grep -i exclude /sbin/fixfiles
returns nothing
but it does exist in Fedora.
| Another way to do this is to add a mount option to the directories | mounted at | /exports | | mount -o context="..." | | Autorelabel does not relabel anything mounted with a context option.
Ok gotcha! So since I'm trying to understand this better in the context of an NFS file server what would be the "best" aka least intrusive context (perhaps most permissive is a better term)? Perhaps unconfined_u:object_r:default_t:s0? A secondary question is why is it that
semanage fcontext -a -t "<<none>>" "/exports(/.*)?"
did not work? Shouldn't this tell SELinux not to bother with the directory or is it still walking the file system to find files with labels? Thanks for you help in better utilizing SELinux BTW. ;)
What does matchpathcon /exports/foobar say after you add that rule?