FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-22-2009, 01:15 PM
Paul Howarth
 
Default bind-mounted homedirs

On a RHEL 5 server I have bind-mounted home directories, where the data
on the server actually lives in /srv/homes but this is bind-mounted to
/nis-home. The user home directories in LDAP refer to the /nis-home
locations.


When I updated to the 5.3 selinux policy, everything under /srv/homes
got relabelled based on the /srv/homes pathname rather than the
/nis-home pathname. What would be the best way of preventing this from
happening in the future?


Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-26-2009, 07:18 PM
Daniel J Walsh
 
Default bind-mounted homedirs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Howarth wrote:
> On a RHEL 5 server I have bind-mounted home directories, where the data
> on the server actually lives in /srv/homes but this is bind-mounted to
> /nis-home. The user home directories in LDAP refer to the /nis-home
> locations.
>
> When I updated to the 5.3 selinux policy, everything under /srv/homes
> got relabelled based on the /srv/homes pathname rather than the
> /nis-home pathname. What would be the best way of preventing this from
> happening in the future?
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

You can setup the labeling using semanage.


semanage fcontext -a -t home_root_t /srv/homes
semanage fcontext -a -t user_home_dir_t -f-d '/srv/homes/[^/]*'
semanage fcontext -a -t user_home_t '/srv/homes/[^/]*/.+'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkl+GnwACgkQrlYvE4MpobOEDwCgmhwNgU7k1t 758tSoqj3MLH/z
+moAmwUoMtJsGu1QOPa8zZl6jfNmWqfn
=RJgs
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-26-2009, 07:31 PM
Paul Howarth
 
Default bind-mounted homedirs

On Mon, 26 Jan 2009 15:18:05 -0500
Daniel J Walsh <dwalsh@redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Paul Howarth wrote:
> > On a RHEL 5 server I have bind-mounted home directories, where the
> > data on the server actually lives in /srv/homes but this is
> > bind-mounted to /nis-home. The user home directories in LDAP refer
> > to the /nis-home locations.
> >
> > When I updated to the 5.3 selinux policy, everything
> > under /srv/homes got relabelled based on the /srv/homes pathname
> > rather than the /nis-home pathname. What would be the best way of
> > preventing this from happening in the future?
> >
> > Paul.
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> You can setup the labeling using semanage.
>
>
> semanage fcontext -a -t home_root_t /srv/homes
> semanage fcontext -a -t user_home_dir_t -f-d '/srv/homes/[^/]*'
> semanage fcontext -a -t user_home_t '/srv/homes/[^/]*/.+'

That gets the majority of things right but misses things like
~/.spamassassin (spamassassin_home_t).

Is there a way of seeing the full set of homedir contexts that would
include additions from local policy modules? At least with that I'd be
able to replicate them to /srv/homes/

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-27-2009, 01:01 PM
Daniel J Walsh
 
Default bind-mounted homedirs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Howarth wrote:
> On Mon, 26 Jan 2009 15:18:05 -0500
> Daniel J Walsh <dwalsh@redhat.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Paul Howarth wrote:
>>> On a RHEL 5 server I have bind-mounted home directories, where the
>>> data on the server actually lives in /srv/homes but this is
>>> bind-mounted to /nis-home. The user home directories in LDAP refer
>>> to the /nis-home locations.
>>>
>>> When I updated to the 5.3 selinux policy, everything
>>> under /srv/homes got relabelled based on the /srv/homes pathname
>>> rather than the /nis-home pathname. What would be the best way of
>>> preventing this from happening in the future?
>>>
>>> Paul.
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> You can setup the labeling using semanage.
>>
>>
>> semanage fcontext -a -t home_root_t /srv/homes
>> semanage fcontext -a -t user_home_dir_t -f-d '/srv/homes/[^/]*'
>> semanage fcontext -a -t user_home_t '/srv/homes/[^/]*/.+'
>
> That gets the majority of things right but misses things like
> ~/.spamassassin (spamassassin_home_t).
>
> Is there a way of seeing the full set of homedir contexts that would
> include additions from local policy modules? At least with that I'd be
> able to replicate them to /srv/homes/
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

I attempted to open a discussion on what you are trying to do on this
list a couple of weekes ago,

You could do some sed/shell magic with the

/etc/selinux/targeted/modules/active/homedir_template

File, but I think the solution is to be able to add alternative roots in
the libsemanage.conf file and have it do the labeling for you.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkl/E6gACgkQrlYvE4MpobMyHgCfe3u9QgrZ2+L4bvTwScgJnDt8
cgcAoNT/tw3Nw5u3y921rP975oVzq0T9
=lawI
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-27-2009, 02:01 PM
Rituraj Goswami
 
Default bind-mounted homedirs

help. i have a microsoft intellipoint moouse and fedora 10 doesn't show the icon. is anyone having the same problem. it's detected and if i press the control key after configuring it shows the graphical circle around it but doesn't show the icon. can anyone help.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-27-2009, 06:27 PM
Daniel J Walsh
 
Default bind-mounted homedirs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rituraj Goswami wrote:
> help. i have a microsoft intellipoint moouse and fedora 10 doesn't show the
> icon. is anyone having the same problem. it's detected and if i press the
> control key after configuring it shows the graphical circle around it but
> doesn't show the icon. can anyone help.
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I think you are asking on the wrong list.

Unless this is an selinux issue, you should be asking this on
fedora-list@redhat.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkl/YB4ACgkQrlYvE4MpobM/hACdGS0swTtlEA27cUfnigF5uO5a
cBsAn2iJ1isLQkCmnFzdF1i0dSkKI0Tx
=0D0K
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-04-2009, 08:26 AM
 
Default bind-mounted homedirs

Hello,



> File, but I think the solution is to be able to add alternative roots in

> the libsemanage.conf file and have it do the labeling for you.



I do have a very similar problem - I run a bit modified version of base filesystem (for cluster purpose) and some directories are moved to /node or /cluster and symlinked to original location.

For example there is /var/log which is a symlink to /node/var/log. And during relabels/restorecon log files in /node/var/log are not labeled properly (labeled as default_t).



It's not really possible to give alternative root paths in semanage.conf, is it ?

If so ,that would solve my problem.



Kind Regards,

Pawel Gega
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-17-2009, 06:29 PM
Stephen Smalley
 
Default bind-mounted homedirs

On Thu, 2009-01-22 at 14:15 +0000, Paul Howarth wrote:
> On a RHEL 5 server I have bind-mounted home directories, where the data
> on the server actually lives in /srv/homes but this is bind-mounted to
> /nis-home. The user home directories in LDAP refer to the /nis-home
> locations.
>
> When I updated to the 5.3 selinux policy, everything under /srv/homes
> got relabelled based on the /srv/homes pathname rather than the
> /nis-home pathname. What would be the best way of preventing this from
> happening in the future?

If you just want to prevent automatic relabeling from touching that tree
at all, just add a "<<none>>" entry for it to file_contexts, e.g.

semanage fcontext -a -t "<<none>>" "/srv/homes(/.*)?"

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-18-2009, 08:54 AM
Paul Howarth
 
Default bind-mounted homedirs

Stephen Smalley wrote:

On Thu, 2009-01-22 at 14:15 +0000, Paul Howarth wrote:
On a RHEL 5 server I have bind-mounted home directories, where the data
on the server actually lives in /srv/homes but this is bind-mounted to
/nis-home. The user home directories in LDAP refer to the /nis-home
locations.


When I updated to the 5.3 selinux policy, everything under /srv/homes
got relabelled based on the /srv/homes pathname rather than the
/nis-home pathname. What would be the best way of preventing this from
happening in the future?


If you just want to prevent automatic relabeling from touching that tree
at all, just add a "<<none>>" entry for it to file_contexts, e.g.

semanage fcontext -a -t "<<none>>" "/srv/homes(/.*)?"


Excellent! That seems to work perfectly - though I prefer to use a local
policy module rather than semanage for these things:


localmisc.fc:
...
# Don't touch stuff here
/srv/homes(/.*)? <<none>>
...

Paul.


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 06:14 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org