-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/02/2010 01:45 PM, Daniel B. Thurman wrote:
On 09/02/2010 07:40 AM, Daniel J Walsh wrote:
> On 08/27/2010 04:14 AM, Paul Howarth wrote:
>> On 27/08/10 07:12, Daniel B. Thurman wrote:
>>>
>>> I have several versions of root distro partitions of which I do
>>> mount via fstab, but of course only one / and /boot partition
>>> is to be defined for the version to be booted.
>>>
>>> What I would like to know is, if I do an /.autorelabel,
>>> for one boot/root partition, does this mean that every
>>> mounted filesystem that appears in /etc/fstab also gets
>>> relabeled? If so, this is not what I want especially if
>>> other root distro partitions are being mounted for example,
>>> say: /md/{distro1, distro2, ...}
>>>
>>> So, How do I get around this? I could comment out
>>> all entries in /etc/fstab except / and /boot (plus the
>>> required entries), touch /.autorelabel, reboot, and once
>>> relabeling is completed, then add back in the commented
>>> out fstab entries, then issue a mount -a. Could I add an option
>>> entry say: NO_RELABEL to certain fstab entries?
>>>
>>> Since I was introduced to the /media since F9, I never could
>>> figure out how to add mounted "media" filesystems, which
>>> is why I added them instead to fstab.
>>>
>>> How do I solve this issue?
>
>> I create a local policy module for this sort of thing, with a file
>> contexts entry like this:
>
>> # Don't touch stuff here
>> /srv/homes(/.*)? <<none>>
>
>> So you could have:
>> ::::::::::::::
>> otherdistros.fc
>> ::::::::::::::
>> /md/distro1(/.*)? <<none>>
>> /md/distro2(/.*)? <<none>>
>
>> ::::::::::::::
>> otherdistros.te
>> ::::::::::::::
>> policy_module(otherdistros, 0.0.1)
>
>> Building and installing that module should do the trick.
>
>> Paul.
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> I have blogged on this.
>
>
http://danwalsh.livejournal.com/38157.html
Yes, its good to know, and it should help users who
are faced with similar situations.
My choice was to update only the fstab file for each and
every mount entry. The only question in my mind is by
having different fstabs; could relabels occur depending on
which OS is booted or are the context a mask, and leaves
the "actual unlying context" alone?
For example:
1) F12: /etc/fstab:
LABEL=RF12D1 / ext4
defaults 1 1
LABEL=BF12D1 /boot ext4
defaults 1 2
[...]
LABEL=RF13D3 /md/RF13D3 ext4
context=system_u:object_r:root_t:s0,defaults 0 0
2) F13: /etc/fstab:
LABEL=RF13D3 / ext4
defaults 1 1
LABEL=BF13D3 /boot ext4
defaults 1 2
[...]
LABEL=RF12D1 /md/RF12D1 ext4
context=system_u:object_r:root_t:s0,defaults 0 0
Does this mean that if I boot F12, RF13D3 / partition would be
relabeled as root_t, and if I boot F13, RF12D1 / partition would
be relabled as root_t? I note that the entire mounted /md/X file
contents are seen as root_t context. Could this cause any problems?
No no relabeling will happen. Although if while booted into F12 you
created a file anywhere within the F13 tree, the file might get created
with the root_t label.
It is interesting to note that for /md/X/ mounted filesystem, a root
user cannot change the / files, whereas / subdirectory files can be
changed/modified.
The workaround is to unmount the /md/X filesystem, remounting it
as default, make the change, unmount again, and then mount -a OR
simply reboot to the OS and make the changes in the normal way.
That is strange, what AVC are you seeing?
But as it is, it seems to work well, and more importantly, only /
and
/boot are relabeled if /.autorelabel is touched; all other /md mounts
are not traversed during the auto-relabeling phase AFAIK because
all I see is stars (*).
Thanks for your help!
Dan
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAkyAAHYACgkQrlYvE4MpobPiTgCguoZQOP1r6V8aEdJ9A9TgTW8l
v0AAn2Gh2C/OqjrI4r6/FXMcQXGf3Iuy
=l17l
-----END PGP SIGNATURE-----