On Sat, 2017-11-25 at 19:10 +0100, Gionatan Danti wrote:
Being a regular user of selinux, I often face situations where some
common directories (es: /var/log or /var/lib) needs to be redirected
to
other partitions/volumes.
I very simple approach, without impacting selinux at all, is to mount
a
volume in the precise path I need to replace - ie mount
/dev/vg_test/lv_lib in /var/lib. However, this is a
one-volume-for-directory approach and I would like to avoid it.
The other possibility is to create single big volume with multiple
directories, mount it, and
1) symlink the original dir (ie: /var/log) to the new one (ie:
/mnt/volume/var/log);
2) use a bind mount to re-mount the destination dir
(/mnt/volume/var/log) on the original one (/var/log).
The symlink approach is self-explaining, as anyone listing the
original
directory will immediately notice it. However, it sometime require
extensive customization of the selinux policy, a thing I try hard to
avoid.
The bind mount approach is somewhat simpler from selinux standpoint,
but
it much less discoverable by a simple "ls".
What do you feel is the preferred approach? I am missing something?
Thanks.
I prefer bind mounts (along with file context equivalence to ensure
that the source directory is correctly labeled), but there are
tradeoffs of course.
WRT to the impact on SELinux policy, this perhaps points to an
unnecessary fragility in policy that could be addressed through better
macros/interfaces.