I'm trying to find a way to exclude file systems during the autorelabel process. I have a file system (/exports) that has tens of millions of files on it and I *know* I don't want it relabeled.
I've tried semanage fcontext -a -t "<<none>>" "/exports(/.*)?" and it seems to insist on relabeling that file system. I also tried to see if there was a /.autorelabel_exclude option as I saw some patches but can't seem to find indication of them anywhere (perhaps I missed it). I really need to make sure that I can exclude these massive directories if at all possible.
Any help?
It is possible to use semanage to label the files correctly and to persist after reboot see man pages for FTP Hope this helps Russell On 26 Dec 2012, at 09:05, "James A. Peltier" jpeltier@sfu.ca wrote:
I'm trying to find a way to exclude file systems during the autorelabel process. I have a file system (/exports) that has tens of millions of files on it and I *know* I don't want it relabeled.
I've tried semanage fcontext -a -t "<<none>>" "/exports(/.*)?" and it seems to insist on relabeling that file system. I also tried to see if there was a /.autorelabel_exclude option as I saw some patches but can't seem to find indication of them anywhere (perhaps I missed it). I really need to make sure that I can exclude these massive directories if at all possible.
Any help?
-- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpeltier@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier
"The smartest people are constantly revising their understanding, reconsidering a problem they thought they’d already solved. They’re open to new points of view, new information, new ideas, contradictions, and challenges to their own way of thinking." - Jeff Bezos _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
----- Original Message ----- | It is possible to use semanage to label the files correctly and to | persist after reboot see man pages for FTP | Hope this helps | Russell
I'm really feeling dense today. I can't find anywhere in the FTP man page anything related to SELinux labels. I've google'd for stuff related to setting the context but that is NOT what I want to to. I want to strip the context entirely so that autorelabel won't look at the files and directories under exports and attempt to apply labels and I thought that
semanage fcontext -a -t "<<none>>" "/exports(/.*)?"
would do just that. It seems quite obvious that I'm either mistaken or that I'm missing another step. Once I do this must I also run restorecon or some other command?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/27/2012 06:09 AM, Markku Kolkka wrote:
27.12.2012 3:03, James A. Peltier kirjoitti:
I'm really feeling dense today. I can't find anywhere in the FTP man page anything related to SELinux labels.
See "man ftpd_selinux".
Depending on your virsion, you should be able to add an entry like /exports to /etc/selinux/fixfiles_exclude_dirs
And fixfiles should exclude this directory. (Autorelabel/rpm updates)
grep fixfiles_exclude_dirs /sbin/fixfiles
Another way to do this is to add a mount option to the directories mounted at /exports
mount -o context="..."
Autorelabel does not relabel anything mounted with a context option.
----- Original Message ----- | -----BEGIN PGP SIGNED MESSAGE----- | Hash: SHA1 | | On 12/27/2012 06:09 AM, Markku Kolkka wrote: | > 27.12.2012 3:03, James A. Peltier kirjoitti: | > | >> I'm really feeling dense today. I can't find anywhere in the FTP | >> man | >> page anything related to SELinux labels. | > | > See "man ftpd_selinux".
Yet again, this is about setting a SELinux context and not removing it, or excluding it from SELinux processing entirely. This is NOT what I want to do. Thankfully, Dan Walsh understood the problem and was able to better answer it for me.
| Depending on your virsion, you should be able to add an entry like | /exports to | /etc/selinux/fixfiles_exclude_dirs | | And fixfiles should exclude this directory. (Autorelabel/rpm updates) | | grep fixfiles_exclude_dirs /sbin/fixfiles
However, on CentOS 5.8 or 6.3 this does not seem to exist on any of the hosts I have.
[root@daat ~]# which fixfiles /sbin/fixfiles
and [root@daat ~]# grep -i exclude /sbin/fixfiles
returns nothing
but it does exist in Fedora.
| Another way to do this is to add a mount option to the directories | mounted at | /exports | | mount -o context="..." | | Autorelabel does not relabel anything mounted with a context option.
Ok gotcha! So since I'm trying to understand this better in the context of an NFS file server what would be the "best" aka least intrusive context (perhaps most permissive is a better term)? Perhaps unconfined_u:object_r:default_t:s0? A secondary question is why is it that
semanage fcontext -a -t "<<none>>" "/exports(/.*)?"
did not work? Shouldn't this tell SELinux not to bother with the directory or is it still walking the file system to find files with labels? Thanks for you help in better utilizing SELinux BTW. ;)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/27/2012 03:08 PM, James A. Peltier wrote:
----- Original Message ----- | -----BEGIN PGP SIGNED MESSAGE----- | Hash: SHA1 | | On 12/27/2012 06:09 AM, Markku Kolkka wrote: | > 27.12.2012 3:03, James A. Peltier kirjoitti: | > | >> I'm really feeling dense today. I can't find anywhere in the FTP | >> man | >> page anything related to SELinux labels. | > | > See "man ftpd_selinux".
Yet again, this is about setting a SELinux context and not removing it, or excluding it from SELinux processing entirely. This is NOT what I want to do. Thankfully, Dan Walsh understood the problem and was able to better answer it for me.
| Depending on your virsion, you should be able to add an entry like | /exports to | /etc/selinux/fixfiles_exclude_dirs | | And fixfiles should exclude this directory. (Autorelabel/rpm updates) | | grep fixfiles_exclude_dirs /sbin/fixfiles
However, on CentOS 5.8 or 6.3 this does not seem to exist on any of the hosts I have.
[root@daat ~]# which fixfiles /sbin/fixfiles
and [root@daat ~]# grep -i exclude /sbin/fixfiles
returns nothing
but it does exist in Fedora.
| Another way to do this is to add a mount option to the directories | mounted at | /exports | | mount -o context="..." | | Autorelabel does not relabel anything mounted with a context option.
Ok gotcha! So since I'm trying to understand this better in the context of an NFS file server what would be the "best" aka least intrusive context (perhaps most permissive is a better term)? Perhaps unconfined_u:object_r:default_t:s0? A secondary question is why is it that
semanage fcontext -a -t "<<none>>" "/exports(/.*)?"
did not work? Shouldn't this tell SELinux not to bother with the directory or is it still walking the file system to find files with labels? Thanks for you help in better utilizing SELinux BTW. ;)
What does matchpathcon /exports/foobar say after you add that rule?
----- Original Message ----- | What does matchpathcon /exports/foobar say after you add that rule?
they all directories report <<none>> including /exports itself.
On 12/26/2012 01:05 AM, James A. Peltier wrote:
I really need to make sure that I can exclude these massive directories if at all possible.
The only way that appears to be available is to mark the filesystem "noauto" and mount it after the system has otherwise started.
On 12/26/2012 4:05 AM, James A. Peltier wrote:
I'm trying to find a way to exclude file systems during the autorelabel process. I have a file system (/exports) that has tens of millions of files on it and I *know* I don't want it relabeled.
How often do you need to do this? The obvious solution is to comment out the entry in /etc/fstab for the /exports filesystem and then "touch /.autorelabel" and reboot. When the machine comes back up, remove the comment the entry in /etc/fstab and then do a "mount -a".
If you want to do this on a regular basis, just script the whole thing, including a script called from /etc/rc.d/rc.local which checks for a semaphore file created by the first script and does the uncomment and "mount -a" if the first script has been run. Do lots of error checking and don't forget to remove the semaphore file when the system is back up. Run the whole thing out of cron.
There may be a more direct way to do what you want, but this is one way to do it using simple shell commands.
Hope this helps
Harold linux since 1993
On 12/27/2012 12:40 PM, Harold Pritchett wrote:
If you want to do this on a regular basis, just script the whole thing, including a script called from /etc/rc.d/rc.local which checks for a semaphore file created by the first script and does the uncomment and "mount -a" if the first script has been run.
That seems entirely unnecessary and pointlessly complex.
As there doesn't seem to be any support for /etc/selinux/fixfiles_exclude_dirs in any production release of CentOS, the simplest option is to add "noauto" to the fstab entry for the volume and mount it after sysinit, possibly in rc.local.
Perhaps that seems less onerous to me than it does to other people. I mount my "home" and backup filesystems after boot so that I don't need to store the encryption keys in order to allow unattended boot.
-
Daniel J Walsh -
Gordon Messmer -
Harold Pritchett -
James A. Peltier -
Markku Kolkka -
Russell Clay