[CentOS] Excluding file systems from autorelabel

Thu Dec 27 20:08:46 UTC 2012
James A. Peltier <jpeltier at sfu.ca>

----- Original Message -----
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
| 
| On 12/27/2012 06:09 AM, Markku Kolkka wrote:
| > 27.12.2012 3:03, James A. Peltier kirjoitti:
| > 
| >> I'm really feeling dense today.  I can't find anywhere in the FTP
| >> man
| >> page anything related to SELinux labels.
| > 
| > See "man ftpd_selinux".

Yet again, this is about setting a SELinux context and not removing it, or excluding it from SELinux processing entirely.  This is NOT what I want to do.  Thankfully, Dan Walsh understood the problem and was able to better answer it for me.


| Depending on your virsion, you should be able to add an entry like
| /exports to
|  /etc/selinux/fixfiles_exclude_dirs
| 
| And fixfiles should exclude this directory. (Autorelabel/rpm updates)
| 
| grep fixfiles_exclude_dirs /sbin/fixfiles

However, on CentOS 5.8 or 6.3 this does not seem to exist on any of the hosts I have.

[root at daat ~]# which fixfiles
/sbin/fixfiles

and 
[root at daat ~]# grep -i exclude /sbin/fixfiles

returns nothing

but it does exist in Fedora.

| Another way to do this is to add a mount option to the directories
| mounted at
| /exports
| 
| mount -o context="..."
| 
| Autorelabel does not relabel anything mounted with a context option.


Ok gotcha!  So since I'm trying to understand this better in the context of an NFS file server what would be the "best" aka least intrusive context (perhaps most permissive is a better term)?  Perhaps unconfined_u:object_r:default_t:s0?  A secondary question is why is it that

   semanage fcontext -a -t "<<none>>" "/exports(/.*)?"

did not work?  Shouldn't this tell SELinux not to bother with the directory or is it still walking the file system to find files with labels?  Thanks for you help in better utilizing SELinux BTW. ;)

-- 
James A. Peltier
Manager, IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax     : 778-782-3045
E-Mail  : jpeltier at sfu.ca
Website : http://www.sfu.ca/itservices
          http://blogs.sfu.ca/people/jpeltier

"The smartest people are constantly revising their understanding, reconsidering a problem they thought they’d already solved. They’re open to new points of view, new information, new ideas, contradictions, and challenges to their own way of thinking." - Jeff Bezos