Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   fcontext nightmare - Help please? (http://www.linux-archive.org/fedora-selinux-support/694036-fcontext-nightmare-help-please.html)

Edward Harvey 08-14-2012 09:04 PM

fcontext nightmare - Help please?
 
I'm managing an amazon virtual machine, with 8G / partition, and a larger secondary storage device attached.* I enabled selinux, and I'm trying to make things work (and keep things secure) while migrating some things such as the ldap & mysql directories to the second device.
*
As far as I know, simply extending the / partition isn't an option (not LVM) ...* Conceivably I could just make a clone larger machine, but there are a lot of advantages to having the separate storage device... which can be LVM, and prevents the / filesystem from getting filled up, and can be detached/reattached to other machines, etc etc.* So I'm trying like heck to keep the second storage device separate.
*
Here's the problem:
*
I mount /data, and now I've got to move & preserve things like the /var/lib/mysql directory to a subdir of /data, while preserving selinux types and everything.* I started out by simply mimicking the / structure ...
*************** sudo mount /data
*************** sudo mkdir -p /data/var/lib
*************** sudo chown --reference=/ /data
*************** sudo chcon --reference=/ /data
*************** sudo chmod --reference=/ /data
*************** sudo chown --reference=/var /data/var
*************** sudo chcon --reference=/var /data/var
*************** sudo chmod --reference=/var /data/var
*************** sudo chown --reference=/var/lib /data/var/lib
*************** sudo chcon --reference=/var/lib /data/var/lib
*************** sudo chmod --reference=/var/lib /data/var/lib
*************** And finally
*************** cd /var/lib ; sudo tar cpf - --selinux mysql | (cd /data/var/lib ; sudo tar xpf - --selinux) ; cd -
*
I understand that chcon is not persistent...
And after all the above was done, I meticulously examined all the contexts of all those directories and confirmed they do match the original...
*
Unfortunately, as soon as I start mysqld, the context of /data/var/lib/mysql gets reset.* I don't know how or why that is happening, but I presume it's because I haven't set the fcontext.* So ...
*
I want to write a script that walks through the whole /var/lib/mysql directory, and creates matching fcontexts for /data/var/lib/mysql.* Better yet ... I would like to create fcontext applied to /data which is a complete replica of /
*
Here is where I'm getting stuck.* I can do "semanage fcontext -l" and I see all the information, but it's not in a format that's suitable to modify and feed back into semanage.* I can do "semanage -o -" but it only says "fcontext -D" which is not helpful.
*
I can't seem to find any combination of commands that will allow me to get all the fcontexts of / (or a relatively large subdir of /) and modify them with the /data prefix to feed back into semanage.
*
Help please?
*
Thanks...
*
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 08-14-2012 09:21 PM

fcontext nightmare - Help please?
 
You might want to check out the semanage --equiv option. (man semanage)

That basically allows you to alias existing file context structures:

heres an example from man semanage:

For home directories under top level directory, for
example /disk6/home,
execute the following commands.
# semanage fcontext -a -t home_root_t "/disk6"
# semanage fcontext -a -e /home /disk6/home
# restorecon -R -v /disk6

so in your case you might want to make /data equivalent to / or
something

semanage fcontext -a -e / /data
restorecon -R -v -F /data

That should label /data root_t, /data/var var_t, /data/var/lib var_lib_t
etc.

just as if it was your main file system.

On Tue, 2012-08-14 at 17:04 -0400, Edward Harvey wrote:
> I'm managing an amazon virtual machine, with 8G / partition, and a
> larger secondary storage device attached. I enabled selinux, and I'm
> trying to make things work (and keep things secure) while migrating
> some things such as the ldap & mysql directories to the second device.
>
>
>
> As far as I know, simply extending the / partition isn't an option
> (not LVM) ... Conceivably I could just make a clone larger machine,
> but there are a lot of advantages to having the separate storage
> device... which can be LVM, and prevents the / filesystem from getting
> filled up, and can be detached/reattached to other machines, etc etc.
> So I'm trying like heck to keep the second storage device separate.
>
>
>
> Here's the problem:
>
>
>
> I mount /data, and now I've got to move & preserve things like
> the /var/lib/mysql directory to a subdir of /data, while preserving
> selinux types and everything. I started out by simply mimicking the /
> structure ...
>
> sudo mount /data
>
> sudo mkdir -p /data/var/lib
>
> sudo chown --reference=/ /data
>
> sudo chcon --reference=/ /data
>
> sudo chmod --reference=/ /data
>
> sudo chown --reference=/var /data/var
>
> sudo chcon --reference=/var /data/var
>
> sudo chmod --reference=/var /data/var
>
> sudo chown --reference=/var/lib /data/var/lib
>
> sudo chcon --reference=/var/lib /data/var/lib
>
> sudo chmod --reference=/var/lib /data/var/lib
>
> And finally
>
> cd /var/lib ; sudo tar cpf - --selinux mysql |
> (cd /data/var/lib ; sudo tar xpf - --selinux) ; cd -
>
>
>
> I understand that chcon is not persistent...
>
> And after all the above was done, I meticulously examined all the
> contexts of all those directories and confirmed they do match the
> original...
>
>
>
> Unfortunately, as soon as I start mysqld, the context
> of /data/var/lib/mysql gets reset. I don't know how or why that is
> happening, but I presume it's because I haven't set the fcontext.
> So ...
>
>
>
> I want to write a script that walks through the whole /var/lib/mysql
> directory, and creates matching fcontexts for /data/var/lib/mysql.
> Better yet ... I would like to create fcontext applied to /data which
> is a complete replica of /
>
>
>
> Here is where I'm getting stuck. I can do "semanage fcontext -l" and
> I see all the information, but it's not in a format that's suitable to
> modify and feed back into semanage. I can do "semanage -o -" but it
> only says "fcontext -D" which is not helpful.
>
>
>
> I can't seem to find any combination of commands that will allow me to
> get all the fcontexts of / (or a relatively large subdir of /) and
> modify them with the /data prefix to feed back into semanage.
>
>
>
> Help please?
>
>
>
> Thanks...
>
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Edward Harvey 08-15-2012 02:41 PM

fcontext nightmare - Help please?
 
> From: selinux-bounces@lists.fedoraproject.org [mailto:selinux-
> bounces@lists.fedoraproject.org] On Behalf Of Dominick Grift
>
> semanage fcontext -a -e / /data
> restorecon -R -v -F /data

That worked like a charm, thank you very much. :-)


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Tom London 08-19-2012 08:24 PM

fcontext nightmare - Help please?
 
On Tue, Aug 14, 2012 at 2:21 PM, Dominick Grift
<dominick.grift@gmail.com> wrote:
> You might want to check out the semanage --equiv option. (man semanage)
>
> That basically allows you to alias existing file context structures:
>
> heres an example from man semanage:
>
> For home directories under top level directory, for
> example /disk6/home,
> execute the following commands.
> # semanage fcontext -a -t home_root_t "/disk6"
> # semanage fcontext -a -e /home /disk6/home
> # restorecon -R -v /disk6
>
> so in your case you might want to make /data equivalent to / or
> something
>
> semanage fcontext -a -e / /data
> restorecon -R -v -F /data
>
> That should label /data root_t, /data/var var_t, /data/var/lib var_lib_t
> etc.
>
> just as if it was your main file system.
>

So this sounds exactly what i would like to do with my Luks encrytped
USB back up drive.

Unfortunately, I'm stumbling across the fact that the drive is
'automagically' mounted (when I login or power it on), and it gets
mounted on /run/media/tbl/Backup1TB:

/dev/mapper/luks-94a9d7d7-f819-4c2c-b735-81bb28db0426 on
/run/media/tbl/Backup1TB type ext4
(rw,nosuid,nodev,relatime,seclabel,data=ordered,uh elper=udisks2)

The 'semanage -e' command spews:

[root@tlondon ~]# semanage fcontext -a -e / /run/media/tbl/Backup1TB/X200
/sbin/semanage: File spec /run/media/tbl/Backup1TB/X200 conflicts with
equivalency rule '/run /var/run'; Try adding
'/var/run/media/tbl/Backup1TB/X200' instead
[root@tlondon ~]#

Appears that '/var/run/media' doesn't exist on my system (I guess /run
and /var/run are not really 'equivalent'?).

This an issue with my system (e.g., do I need an explicit entry in
fstab or some such)? With the scaffolding that deals with /run and
/var/run? Other? Should this work?

Thanks,
tom
--
Tom London
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 08-19-2012 08:35 PM

fcontext nightmare - Help please?
 
On Sun, 2012-08-19 at 13:24 -0700, Tom London wrote:
> On Tue, Aug 14, 2012 at 2:21 PM, Dominick Grift
> <dominick.grift@gmail.com> wrote:
> > You might want to check out the semanage --equiv option. (man semanage)
> >
> > That basically allows you to alias existing file context structures:
> >
> > heres an example from man semanage:
> >
> > For home directories under top level directory, for
> > example /disk6/home,
> > execute the following commands.
> > # semanage fcontext -a -t home_root_t "/disk6"
> > # semanage fcontext -a -e /home /disk6/home
> > # restorecon -R -v /disk6
> >
> > so in your case you might want to make /data equivalent to / or
> > something
> >
> > semanage fcontext -a -e / /data
> > restorecon -R -v -F /data
> >
> > That should label /data root_t, /data/var var_t, /data/var/lib var_lib_t
> > etc.
> >
> > just as if it was your main file system.
> >
>
> So this sounds exactly what i would like to do with my Luks encrytped
> USB back up drive.
>
> Unfortunately, I'm stumbling across the fact that the drive is
> 'automagically' mounted (when I login or power it on), and it gets
> mounted on /run/media/tbl/Backup1TB:
>
> /dev/mapper/luks-94a9d7d7-f819-4c2c-b735-81bb28db0426 on
> /run/media/tbl/Backup1TB type ext4
> (rw,nosuid,nodev,relatime,seclabel,data=ordered,uh elper=udisks2)
>
> The 'semanage -e' command spews:
>
> [root@tlondon ~]# semanage fcontext -a -e / /run/media/tbl/Backup1TB/X200
> /sbin/semanage: File spec /run/media/tbl/Backup1TB/X200 conflicts with
> equivalency rule '/run /var/run'; Try adding
> '/var/run/media/tbl/Backup1TB/X200' instead
> [root@tlondon ~]#
>
> Appears that '/var/run/media' doesn't exist on my system (I guess /run
> and /var/run are not really 'equivalent'?).
>
> This an issue with my system (e.g., do I need an explicit entry in
> fstab or some such)? With the scaffolding that deals with /run and
> /var/run? Other? Should this work?

I think the issue is due to using "-e" on a location that is already
"-e'd"

/run is equivalent to /var/run, it seems that you cant currently make
such a location equivalent to something else again.

This is something to consider...


> Thanks,
> tom


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 08-20-2012 09:59 AM

fcontext nightmare - Help please?
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/19/2012 04:24 PM, Tom London wrote:
> On Tue, Aug 14, 2012 at 2:21 PM, Dominick Grift <dominick.grift@gmail.com>
> wrote:
>> You might want to check out the semanage --equiv option. (man semanage)
>>
>> That basically allows you to alias existing file context structures:
>>
>> heres an example from man semanage:
>>
>> For home directories under top level directory, for example /disk6/home,
>> execute the following commands. # semanage fcontext -a -t home_root_t
>> "/disk6" # semanage fcontext -a -e /home /disk6/home # restorecon -R -v
>> /disk6
>>
>> so in your case you might want to make /data equivalent to / or
>> something
>>
>> semanage fcontext -a -e / /data restorecon -R -v -F /data
>>
>> That should label /data root_t, /data/var var_t, /data/var/lib var_lib_t
>> etc.
>>
>> just as if it was your main file system.
>>
>
> So this sounds exactly what i would like to do with my Luks encrytped USB
> back up drive.
>
> Unfortunately, I'm stumbling across the fact that the drive is
> 'automagically' mounted (when I login or power it on), and it gets mounted
> on /run/media/tbl/Backup1TB:
>
> /dev/mapper/luks-94a9d7d7-f819-4c2c-b735-81bb28db0426 on
> /run/media/tbl/Backup1TB type ext4
> (rw,nosuid,nodev,relatime,seclabel,data=ordered,uh elper=udisks2)
>
> The 'semanage -e' command spews:
>
> [root@tlondon ~]# semanage fcontext -a -e / /run/media/tbl/Backup1TB/X200
> /sbin/semanage: File spec /run/media/tbl/Backup1TB/X200 conflicts with
> equivalency rule '/run /var/run'; Try adding
> '/var/run/media/tbl/Backup1TB/X200' instead [root@tlondon ~]#
>
> Appears that '/var/run/media' doesn't exist on my system (I guess /run and
> /var/run are not really 'equivalent'?).
>
> This an issue with my system (e.g., do I need an explicit entry in fstab or
> some such)? With the scaffolding that deals with /run and /var/run? Other?
> Should this work?
>
> Thanks, tom
>
Yes it is telling you about a double equivalence. systemd guys have suggested
that we reverse the equivalence. since /var/run does not really exist anymore,
they suggested we move to /var/run -> /run rather then what we currently have
/run -> /var/run. My concern with this switch would be if users/package
developers had already added file context for /var/run
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAyCpMACgkQrlYvE4MpobO5wgCfdRVrB/xGOiHjCME8jX9wUYOC
sw4AoOVSv9uAKByYi7c0UVNn2hwX5k/E
=x56+
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Tom London 09-17-2012 01:00 AM

fcontext nightmare - Help please?
 
On Mon, Aug 20, 2012 at 2:59 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 08/19/2012 04:24 PM, Tom London wrote:
>> On Tue, Aug 14, 2012 at 2:21 PM, Dominick Grift <dominick.grift@gmail.com>
>> wrote:
>>> You might want to check out the semanage --equiv option. (man semanage)
>>>
>>> That basically allows you to alias existing file context structures:
>>>
>>> heres an example from man semanage:
>>>
>>> For home directories under top level directory, for example /disk6/home,
>>> execute the following commands. # semanage fcontext -a -t home_root_t
>>> "/disk6" # semanage fcontext -a -e /home /disk6/home # restorecon -R -v
>>> /disk6
>>>
>>> so in your case you might want to make /data equivalent to / or
>>> something
>>>
>>> semanage fcontext -a -e / /data restorecon -R -v -F /data
>>>
>>> That should label /data root_t, /data/var var_t, /data/var/lib var_lib_t
>>> etc.
>>>
>>> just as if it was your main file system.
>>>
>>
>> So this sounds exactly what i would like to do with my Luks encrytped USB
>> back up drive.
>>
>> Unfortunately, I'm stumbling across the fact that the drive is
>> 'automagically' mounted (when I login or power it on), and it gets mounted
>> on /run/media/tbl/Backup1TB:
>>
>> /dev/mapper/luks-94a9d7d7-f819-4c2c-b735-81bb28db0426 on
>> /run/media/tbl/Backup1TB type ext4
>> (rw,nosuid,nodev,relatime,seclabel,data=ordered,uh elper=udisks2)
>>
>> The 'semanage -e' command spews:
>>
>> [root@tlondon ~]# semanage fcontext -a -e / /run/media/tbl/Backup1TB/X200
>> /sbin/semanage: File spec /run/media/tbl/Backup1TB/X200 conflicts with
>> equivalency rule '/run /var/run'; Try adding
>> '/var/run/media/tbl/Backup1TB/X200' instead [root@tlondon ~]#
>>
>> Appears that '/var/run/media' doesn't exist on my system (I guess /run and
>> /var/run are not really 'equivalent'?).
>>
>> This an issue with my system (e.g., do I need an explicit entry in fstab or
>> some such)? With the scaffolding that deals with /run and /var/run? Other?
>> Should this work?
>>
>> Thanks, tom
>>
> Yes it is telling you about a double equivalence. systemd guys have suggested
> that we reverse the equivalence. since /var/run does not really exist anymore,
> they suggested we move to /var/run -> /run rather then what we currently have
> /run -> /var/run. My concern with this switch would be if users/package
> developers had already added file context for /var/run
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAlAyCpMACgkQrlYvE4MpobO5wgCfdRVrB/xGOiHjCME8jX9wUYOC
> sw4AoOVSv9uAKByYi7c0UVNn2hwX5k/E
> =x56+
> -----END PGP SIGNATURE-----

So I tried this to work around the 'one-level equivalence detection':

[root@tlondon ~]# mount --bind /run/media/tbl/Backup1TB/X200/ /mnt
[root@tlondon ~]# semanage fcontext -a -t root_t /mnt
[root@tlondon ~]# semanage fcontext -a -e / /mnt
[root@tlondon ~]# restorecon -v -R /mnt
restorecon reset /mnt context
system_u:object_r:admin_home_t:s0->system_u:object_r:root_t:s0
restorecon reset /mnt/.tcshrc context
staff_u:object_r:admin_home_t:s0->staff_u:object_r:etc_runtime_t:s0
restorecon reset /mnt/run context
staff_u:object_r:admin_home_t:s0->staff_u:object_r:var_run_t:s0
restorecon reset /mnt/enable-unconfined context
unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:etc_runtime_t:s0
restorecon reset /mnt/.lesshst context
staff_u:object_r:admin_home_t:s0->staff_u:object_r:etc_runtime_t:s0
<<<<<SNIP>>>>>
<<<<<Lots of relabelling here>>>>>
restorecon reset /mnt/var/cache/krb5rcache context
staff_u:object_r:var_t:s0->staff_u:object_r:krb5_host_rcache_t:s0
restorecon reset /mnt/var/cache/jetty context
system_u:object_r:var_t:s0->system_u:object_r:jetty_cache_t:s0
restorecon reset /mnt/var/cache/jetty/temp context
system_u:object_r:var_t:s0->system_u:object_r:jetty_cache_t:s0
restorecon reset /mnt/var/cache/httpd context
staff_u:object_r:var_t:s0->staff_u:object_r:httpd_cache_t:s0
restorecon reset /mnt/var/cache/httpd/proxy context
staff_u:object_r:var_t:s0->staff_u:object_r:httpd_cache_t:s0
[root@tlondon ~]#

I checked a few relabelled files, and the contexts seem correct, for example:
restorecon reset /mnt/usr/share/jetty/bin/jetty.sh context
staff_u:object_r:bin_t:s0->staff_u:object_r:httpd_exec_t:s0


I should have used something other than '/mnt', of course. And since
the drive is not persistently mounted, I'm thinking of wrapping the
'rsync' command with 'semanage' commands that temporarily add/delete
the mappings.

Am I correct in assuming that the way to do this is (presuming bind
mount the mounted path to '/backup'):


semanage fcontext -a -t root_t /backup
semanage fcontext -a -e / /backup

rsync ..... lots of options

semanage fcontext -d -e / /backup
semanage fcontext -d -t root_t /backup


That seem right?

Thanks!
tom
--
Tom London
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 09-17-2012 01:51 PM

fcontext nightmare - Help please?
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/16/2012 09:00 PM, Tom London wrote:
> On Mon, Aug 20, 2012 at 2:59 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> On 08/19/2012 04:24 PM, Tom London wrote:
>>>> On Tue, Aug 14, 2012 at 2:21 PM, Dominick Grift
>>>> <dominick.grift@gmail.com> wrote:
>>>>> You might want to check out the semanage --equiv option. (man
>>>>> semanage)
>>>>>
>>>>> That basically allows you to alias existing file context
>>>>> structures:
>>>>>
>>>>> heres an example from man semanage:
>>>>>
>>>>> For home directories under top level directory, for example
>>>>> /disk6/home, execute the following commands. # semanage fcontext -a
>>>>> -t home_root_t "/disk6" # semanage fcontext -a -e /home /disk6/home
>>>>> # restorecon -R -v /disk6
>>>>>
>>>>> so in your case you might want to make /data equivalent to / or
>>>>> something
>>>>>
>>>>> semanage fcontext -a -e / /data restorecon -R -v -F /data
>>>>>
>>>>> That should label /data root_t, /data/var var_t, /data/var/lib
>>>>> var_lib_t etc.
>>>>>
>>>>> just as if it was your main file system.
>>>>>
>>>>
>>>> So this sounds exactly what i would like to do with my Luks encrytped
>>>> USB back up drive.
>>>>
>>>> Unfortunately, I'm stumbling across the fact that the drive is
>>>> 'automagically' mounted (when I login or power it on), and it gets
>>>> mounted on /run/media/tbl/Backup1TB:
>>>>
>>>> /dev/mapper/luks-94a9d7d7-f819-4c2c-b735-81bb28db0426 on
>>>> /run/media/tbl/Backup1TB type ext4
>>>> (rw,nosuid,nodev,relatime,seclabel,data=ordered,uh elper=udisks2)
>>>>
>>>> The 'semanage -e' command spews:
>>>>
>>>> [root@tlondon ~]# semanage fcontext -a -e /
>>>> /run/media/tbl/Backup1TB/X200 /sbin/semanage: File spec
>>>> /run/media/tbl/Backup1TB/X200 conflicts with equivalency rule '/run
>>>> /var/run'; Try adding '/var/run/media/tbl/Backup1TB/X200' instead
>>>> [root@tlondon ~]#
>>>>
>>>> Appears that '/var/run/media' doesn't exist on my system (I guess
>>>> /run and /var/run are not really 'equivalent'?).
>>>>
>>>> This an issue with my system (e.g., do I need an explicit entry in
>>>> fstab or some such)? With the scaffolding that deals with /run and
>>>> /var/run? Other? Should this work?
>>>>
>>>> Thanks, tom
>>>>
> Yes it is telling you about a double equivalence. systemd guys have
> suggested that we reverse the equivalence. since /var/run does not really
> exist anymore, they suggested we move to /var/run -> /run rather then what
> we currently have /run -> /var/run. My concern with this switch would be
> if users/package developers had already added file context for /var/run
>
> So I tried this to work around the 'one-level equivalence detection':
>
> [root@tlondon ~]# mount --bind /run/media/tbl/Backup1TB/X200/ /mnt
> [root@tlondon ~]# semanage fcontext -a -t root_t /mnt [root@tlondon ~]#
> semanage fcontext -a -e / /mnt [root@tlondon ~]# restorecon -v -R /mnt
> restorecon reset /mnt context
> system_u:object_r:admin_home_t:s0->system_u:object_r:root_t:s0 restorecon
> reset /mnt/.tcshrc context
> staff_u:object_r:admin_home_t:s0->staff_u:object_r:etc_runtime_t:s0
> restorecon reset /mnt/run context
> staff_u:object_r:admin_home_t:s0->staff_u:object_r:var_run_t:s0 restorecon
> reset /mnt/enable-unconfined context
> unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:etc_runtime_t:s0
>
>
restorecon reset /mnt/.lesshst context
> staff_u:object_r:admin_home_t:s0->staff_u:object_r:etc_runtime_t:s0
> <<<<<SNIP>>>>> <<<<<Lots of relabelling here>>>>> restorecon reset
> /mnt/var/cache/krb5rcache context
> staff_u:object_r:var_t:s0->staff_u:object_r:krb5_host_rcache_t:s0
> restorecon reset /mnt/var/cache/jetty context
> system_u:object_r:var_t:s0->system_u:object_r:jetty_cache_t:s0 restorecon
> reset /mnt/var/cache/jetty/temp context
> system_u:object_r:var_t:s0->system_u:object_r:jetty_cache_t:s0 restorecon
> reset /mnt/var/cache/httpd context
> staff_u:object_r:var_t:s0->staff_u:object_r:httpd_cache_t:s0 restorecon
> reset /mnt/var/cache/httpd/proxy context
> staff_u:object_r:var_t:s0->staff_u:object_r:httpd_cache_t:s0 [root@tlondon
> ~]#
>
> I checked a few relabelled files, and the contexts seem correct, for
> example: restorecon reset /mnt/usr/share/jetty/bin/jetty.sh context
> staff_u:object_r:bin_t:s0->staff_u:object_r:httpd_exec_t:s0
>
>
> I should have used something other than '/mnt', of course. And since the
> drive is not persistently mounted, I'm thinking of wrapping the 'rsync'
> command with 'semanage' commands that temporarily add/delete the mappings.
>
> Am I correct in assuming that the way to do this is (presuming bind mount
> the mounted path to '/backup'):
>
>
> semanage fcontext -a -t root_t /backup semanage fcontext -a -e / /backup
>
> rsync ..... lots of options
>
> semanage fcontext -d -e / /backup semanage fcontext -d -t root_t /backup
>
>
> That seem right?
>
> Thanks! tom
>

I would figure

/backup/run/blah or /backup/usr/lib64 might be labeled differently then /run
and /usr/lib64.

Since only one substitution would happen. You would really need to do all of
the substitutions again.

/backup/run == /var/run
/backup/usr/lib64 == /usr/lib
...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBXKvoACgkQrlYvE4MpobNRdgCgvmALwQjwpB +oEB2l2a6akHF9
rwkAniexDIyfYtm4IUlvYeCTs7c9gIUu
=1igJ
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Tom London 09-17-2012 02:06 PM

fcontext nightmare - Help please?
 
On Mon, Sep 17, 2012 at 6:51 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/16/2012 09:00 PM, Tom London wrote:
>> On Mon, Aug 20, 2012 at 2:59 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> On 08/19/2012 04:24 PM, Tom London wrote:
>>>>> On Tue, Aug 14, 2012 at 2:21 PM, Dominick Grift
>>>>> <dominick.grift@gmail.com> wrote:
>>>>>> You might want to check out the semanage --equiv option. (man
>>>>>> semanage)
>>>>>>
>>>>>> That basically allows you to alias existing file context
>>>>>> structures:
>>>>>>
>>>>>> heres an example from man semanage:
>>>>>>
>>>>>> For home directories under top level directory, for example
>>>>>> /disk6/home, execute the following commands. # semanage fcontext -a
>>>>>> -t home_root_t "/disk6" # semanage fcontext -a -e /home /disk6/home
>>>>>> # restorecon -R -v /disk6
>>>>>>
>>>>>> so in your case you might want to make /data equivalent to / or
>>>>>> something
>>>>>>
>>>>>> semanage fcontext -a -e / /data restorecon -R -v -F /data
>>>>>>
>>>>>> That should label /data root_t, /data/var var_t, /data/var/lib
>>>>>> var_lib_t etc.
>>>>>>
>>>>>> just as if it was your main file system.
>>>>>>
>>>>>
>>>>> So this sounds exactly what i would like to do with my Luks encrytped
>>>>> USB back up drive.
>>>>>
>>>>> Unfortunately, I'm stumbling across the fact that the drive is
>>>>> 'automagically' mounted (when I login or power it on), and it gets
>>>>> mounted on /run/media/tbl/Backup1TB:
>>>>>
>>>>> /dev/mapper/luks-94a9d7d7-f819-4c2c-b735-81bb28db0426 on
>>>>> /run/media/tbl/Backup1TB type ext4
>>>>> (rw,nosuid,nodev,relatime,seclabel,data=ordered,uh elper=udisks2)
>>>>>
>>>>> The 'semanage -e' command spews:
>>>>>
>>>>> [root@tlondon ~]# semanage fcontext -a -e /
>>>>> /run/media/tbl/Backup1TB/X200 /sbin/semanage: File spec
>>>>> /run/media/tbl/Backup1TB/X200 conflicts with equivalency rule '/run
>>>>> /var/run'; Try adding '/var/run/media/tbl/Backup1TB/X200' instead
>>>>> [root@tlondon ~]#
>>>>>
>>>>> Appears that '/var/run/media' doesn't exist on my system (I guess
>>>>> /run and /var/run are not really 'equivalent'?).
>>>>>
>>>>> This an issue with my system (e.g., do I need an explicit entry in
>>>>> fstab or some such)? With the scaffolding that deals with /run and
>>>>> /var/run? Other? Should this work?
>>>>>
>>>>> Thanks, tom
>>>>>
>> Yes it is telling you about a double equivalence. systemd guys have
>> suggested that we reverse the equivalence. since /var/run does not really
>> exist anymore, they suggested we move to /var/run -> /run rather then what
>> we currently have /run -> /var/run. My concern with this switch would be
>> if users/package developers had already added file context for /var/run
>>
>> So I tried this to work around the 'one-level equivalence detection':
>>
>> [root@tlondon ~]# mount --bind /run/media/tbl/Backup1TB/X200/ /mnt
>> [root@tlondon ~]# semanage fcontext -a -t root_t /mnt [root@tlondon ~]#
>> semanage fcontext -a -e / /mnt [root@tlondon ~]# restorecon -v -R /mnt
>> restorecon reset /mnt context
>> system_u:object_r:admin_home_t:s0->system_u:object_r:root_t:s0 restorecon
>> reset /mnt/.tcshrc context
>> staff_u:object_r:admin_home_t:s0->staff_u:object_r:etc_runtime_t:s0
>> restorecon reset /mnt/run context
>> staff_u:object_r:admin_home_t:s0->staff_u:object_r:var_run_t:s0 restorecon
>> reset /mnt/enable-unconfined context
>> unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:etc_runtime_t:s0
>>
>>
> restorecon reset /mnt/.lesshst context
>> staff_u:object_r:admin_home_t:s0->staff_u:object_r:etc_runtime_t:s0
>> <<<<<SNIP>>>>> <<<<<Lots of relabelling here>>>>> restorecon reset
>> /mnt/var/cache/krb5rcache context
>> staff_u:object_r:var_t:s0->staff_u:object_r:krb5_host_rcache_t:s0
>> restorecon reset /mnt/var/cache/jetty context
>> system_u:object_r:var_t:s0->system_u:object_r:jetty_cache_t:s0 restorecon
>> reset /mnt/var/cache/jetty/temp context
>> system_u:object_r:var_t:s0->system_u:object_r:jetty_cache_t:s0 restorecon
>> reset /mnt/var/cache/httpd context
>> staff_u:object_r:var_t:s0->staff_u:object_r:httpd_cache_t:s0 restorecon
>> reset /mnt/var/cache/httpd/proxy context
>> staff_u:object_r:var_t:s0->staff_u:object_r:httpd_cache_t:s0 [root@tlondon
>> ~]#
>>
>> I checked a few relabelled files, and the contexts seem correct, for
>> example: restorecon reset /mnt/usr/share/jetty/bin/jetty.sh context
>> staff_u:object_r:bin_t:s0->staff_u:object_r:httpd_exec_t:s0
>>
>>
>> I should have used something other than '/mnt', of course. And since the
>> drive is not persistently mounted, I'm thinking of wrapping the 'rsync'
>> command with 'semanage' commands that temporarily add/delete the mappings.
>>
>> Am I correct in assuming that the way to do this is (presuming bind mount
>> the mounted path to '/backup'):
>>
>>
>> semanage fcontext -a -t root_t /backup semanage fcontext -a -e / /backup
>>
>> rsync ..... lots of options
>>
>> semanage fcontext -d -e / /backup semanage fcontext -d -t root_t /backup
>>
>>
>> That seem right?
>>
>> Thanks! tom
>>
>
> I would figure
>
> /backup/run/blah or /backup/usr/lib64 might be labeled differently then /run
> and /usr/lib64.
>
> Since only one substitution would happen. You would really need to do all of
> the substitutions again.
>
> /backup/run == /var/run
> /backup/usr/lib64 == /usr/lib
> ...
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBXKvoACgkQrlYvE4MpobNRdgCgvmALwQjwpB +oEB2l2a6akHF9
> rwkAniexDIyfYtm4IUlvYeCTs7c9gIUu
> =1igJ
> -----END PGP SIGNATURE-----

Argh.... Of course.

Ignore above....

tom

--
Tom London
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 08:27 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.