On a RHEL 5 server I have bind-mounted home directories, where the data
on the server actually lives in /srv/homes but this is bind-mounted to
/nis-home. The user home directories in LDAP refer to the /nis-home
locations.
When I updated to the 5.3 selinux policy, everything under /srv/homes
got relabelled based on the /srv/homes pathname rather than the
/nis-home pathname. What would be the best way of preventing this from
happening in the future?
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
01-26-2009, 07:18 PM
Daniel J Walsh
bind-mounted homedirs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Paul Howarth wrote:
> On a RHEL 5 server I have bind-mounted home directories, where the data
> on the server actually lives in /srv/homes but this is bind-mounted to
> /nis-home. The user home directories in LDAP refer to the /nis-home
> locations.
>
> When I updated to the 5.3 selinux policy, everything under /srv/homes
> got relabelled based on the /srv/homes pathname rather than the
> /nis-home pathname. What would be the best way of preventing this from
> happening in the future?
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You can setup the labeling using semanage.
semanage fcontext -a -t home_root_t /srv/homes
semanage fcontext -a -t user_home_dir_t -f-d '/srv/homes/[^/]*'
semanage fcontext -a -t user_home_t '/srv/homes/[^/]*/.+'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
01-26-2009, 07:31 PM
Paul Howarth
bind-mounted homedirs
On Mon, 26 Jan 2009 15:18:05 -0500
Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Paul Howarth wrote:
> > On a RHEL 5 server I have bind-mounted home directories, where the
> > data on the server actually lives in /srv/homes but this is
> > bind-mounted to /nis-home. The user home directories in LDAP refer
> > to the /nis-home locations.
> >
> > When I updated to the 5.3 selinux policy, everything
> > under /srv/homes got relabelled based on the /srv/homes pathname
> > rather than the /nis-home pathname. What would be the best way of
> > preventing this from happening in the future?
> >
> > Paul.
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> You can setup the labeling using semanage.
>
>
> semanage fcontext -a -t home_root_t /srv/homes
> semanage fcontext -a -t user_home_dir_t -f-d '/srv/homes/[^/]*'
> semanage fcontext -a -t user_home_t '/srv/homes/[^/]*/.+'
That gets the majority of things right but misses things like
~/.spamassassin (spamassassin_home_t).
Is there a way of seeing the full set of homedir contexts that would
include additions from local policy modules? At least with that I'd be
able to replicate them to /srv/homes/
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
01-27-2009, 01:01 PM
Daniel J Walsh
bind-mounted homedirs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Paul Howarth wrote:
> On Mon, 26 Jan 2009 15:18:05 -0500
> Daniel J Walsh <dwalsh@redhat.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Paul Howarth wrote:
>>> On a RHEL 5 server I have bind-mounted home directories, where the
>>> data on the server actually lives in /srv/homes but this is
>>> bind-mounted to /nis-home. The user home directories in LDAP refer
>>> to the /nis-home locations.
>>>
>>> When I updated to the 5.3 selinux policy, everything
>>> under /srv/homes got relabelled based on the /srv/homes pathname
>>> rather than the /nis-home pathname. What would be the best way of
>>> preventing this from happening in the future?
>>>
>>> Paul.
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> You can setup the labeling using semanage.
>>
>>
>> semanage fcontext -a -t home_root_t /srv/homes
>> semanage fcontext -a -t user_home_dir_t -f-d '/srv/homes/[^/]*'
>> semanage fcontext -a -t user_home_t '/srv/homes/[^/]*/.+'
>
> That gets the majority of things right but misses things like
> ~/.spamassassin (spamassassin_home_t).
>
> Is there a way of seeing the full set of homedir contexts that would
> include additions from local policy modules? At least with that I'd be
> able to replicate them to /srv/homes/
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I attempted to open a discussion on what you are trying to do on this
list a couple of weekes ago,
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
01-27-2009, 02:01 PM
Rituraj Goswami
bind-mounted homedirs
help. i have a microsoft intellipoint moouse and fedora 10 doesn't show the icon. is anyone having the same problem. it's detected and if i press the control key after configuring it shows the graphical circle around it but doesn't show the icon. can anyone help.
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
01-27-2009, 06:27 PM
Daniel J Walsh
bind-mounted homedirs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rituraj Goswami wrote:
> help. i have a microsoft intellipoint moouse and fedora 10 doesn't show the
> icon. is anyone having the same problem. it's detected and if i press the
> control key after configuring it shows the graphical circle around it but
> doesn't show the icon. can anyone help.
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I think you are asking on the wrong list.
Unless this is an selinux issue, you should be asking this on
fedora-list@redhat.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
02-04-2009, 08:26 AM
bind-mounted homedirs
Hello,
> File, but I think the solution is to be able to add alternative roots in
> the libsemanage.conf file and have it do the labeling for you.
I do have a very similar problem - I run a bit modified version of base filesystem (for cluster purpose) and some directories are moved to /node or /cluster and symlinked to original location.
For example there is /var/log which is a symlink to /node/var/log. And during relabels/restorecon log files in /node/var/log are not labeled properly (labeled as default_t).
It's not really possible to give alternative root paths in semanage.conf, is it ?
If so ,that would solve my problem.
Kind Regards,
Pawel Gega
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
02-17-2009, 06:29 PM
Stephen Smalley
bind-mounted homedirs
On Thu, 2009-01-22 at 14:15 +0000, Paul Howarth wrote:
> On a RHEL 5 server I have bind-mounted home directories, where the data
> on the server actually lives in /srv/homes but this is bind-mounted to
> /nis-home. The user home directories in LDAP refer to the /nis-home
> locations.
>
> When I updated to the 5.3 selinux policy, everything under /srv/homes
> got relabelled based on the /srv/homes pathname rather than the
> /nis-home pathname. What would be the best way of preventing this from
> happening in the future?
If you just want to prevent automatic relabeling from touching that tree
at all, just add a "<<none>>" entry for it to file_contexts, e.g.
semanage fcontext -a -t "<<none>>" "/srv/homes(/.*)?"
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
02-18-2009, 08:54 AM
Paul Howarth
bind-mounted homedirs
Stephen Smalley wrote:
On Thu, 2009-01-22 at 14:15 +0000, Paul Howarth wrote:
On a RHEL 5 server I have bind-mounted home directories, where the data
on the server actually lives in /srv/homes but this is bind-mounted to
/nis-home. The user home directories in LDAP refer to the /nis-home
locations.
When I updated to the 5.3 selinux policy, everything under /srv/homes
got relabelled based on the /srv/homes pathname rather than the
/nis-home pathname. What would be the best way of preventing this from
happening in the future?
If you just want to prevent automatic relabeling from touching that tree
at all, just add a "<<none>>" entry for it to file_contexts, e.g.
semanage fcontext -a -t "<<none>>" "/srv/homes(/.*)?"
Excellent! That seems to work perfectly - though I prefer to use a local
policy module rather than semanage for these things:
localmisc.fc:
...
# Don't touch stuff here
/srv/homes(/.*)? <<none>>
...
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
bind-mounted homedirs
