[CentOS] Excluding file systems from autorelabel

Thu Dec 27 21:43:32 UTC 2012
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/27/2012 03:08 PM, James A. Peltier wrote:
> ----- Original Message ----- | -----BEGIN PGP SIGNED MESSAGE----- | Hash:
> SHA1 | | On 12/27/2012 06:09 AM, Markku Kolkka wrote: | > 27.12.2012 3:03,
> James A. Peltier kirjoitti: | > | >> I'm really feeling dense today.  I
> can't find anywhere in the FTP | >> man | >> page anything related to
> SELinux labels. | > | > See "man ftpd_selinux".
> 
> Yet again, this is about setting a SELinux context and not removing it, or
> excluding it from SELinux processing entirely.  This is NOT what I want to
> do.  Thankfully, Dan Walsh understood the problem and was able to better
> answer it for me.
> 
> 
> | Depending on your virsion, you should be able to add an entry like |
> /exports to |  /etc/selinux/fixfiles_exclude_dirs | | And fixfiles should
> exclude this directory. (Autorelabel/rpm updates) | | grep
> fixfiles_exclude_dirs /sbin/fixfiles
> 
> However, on CentOS 5.8 or 6.3 this does not seem to exist on any of the
> hosts I have.
> 
> [root at daat ~]# which fixfiles /sbin/fixfiles
> 
> and [root at daat ~]# grep -i exclude /sbin/fixfiles
> 
> returns nothing
> 
> but it does exist in Fedora.
> 
> | Another way to do this is to add a mount option to the directories |
> mounted at | /exports | | mount -o context="..." | | Autorelabel does not
> relabel anything mounted with a context option.
> 
> 
> Ok gotcha!  So since I'm trying to understand this better in the context of
> an NFS file server what would be the "best" aka least intrusive context
> (perhaps most permissive is a better term)?  Perhaps
> unconfined_u:object_r:default_t:s0?  A secondary question is why is it
> that
> 
> semanage fcontext -a -t "<<none>>" "/exports(/.*)?"
> 
> did not work?  Shouldn't this tell SELinux not to bother with the directory
> or is it still walking the file system to find files with labels?  Thanks
> for you help in better utilizing SELinux BTW. ;)
> 
What does matchpathcon /exports/foobar say after you add that rule?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDcwQQACgkQrlYvE4MpobOZsgCdGfyWtL4szZ6UBsheJUZ1SoG4
LOIAoM9GbIwQZSo7fQN050fINdJd6EBT
=n2Qk
-----END PGP SIGNATURE-----