SELinux

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Terry - Fedora Core wrote:
> As I reported on another thread, SELinux has caused me trouble and
> blocked access to my hard disks.
> 
> To solve the problem, I set SELinux to "permissive" mode. Am I positive
> that SELinux caused the problem of not being able access the hard disks.
> No. But then when I set SELinux to permissive mode the problem
> disappeared. Not proof, but very strong evidence.
> 
> My question:
> 
> Should I enable SELinux again?
> 
> What do I gain if I do?
> 
> Will the gain be greater than the loss of accessing my computer hard disks?
> 
> And if I do, how do I try to prevent it from locking me out of the hard
> disks again?
> 
> How do I determine what caused SELinux to block access, how much trouble
> is it to change SELinux to prevent it from doing that again?
> 
> Your insights are appreciated.
> 
> Terry
> 
Look for error messages in /var/log/audit/audit.log.  Install
setroubleshoot, it will tell you when SELinux is complaining about
something and attempt to give you a way to fix it.

Most likely the disk you are having problems with is not labeled
correcty.  SELinux relies on extended attributes containing labels for
every file on the system.  If a file does not have a label, the kernel
says the label is file_t and no confined domains can use the file.  You
can either label the disk, by executing a command like
restorecon -R -v PATHTODDISK
Or you can fully relabel the entire system using

touch /.autorelabel; reboot

Or if you do not want to label the disk you can use the mount
command/fstab entry to put a single label for the entire file system.

mount -o context="sytstem_u:object_r:default_t:s0" DISK MOUNTPOINT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkesW+4ACgkQrlYvE4MpobNpBACfW4/15U2VqZv1PxQcG0YAxa5T
j7oAnjpnnytDIRB7glrH4kfSnfrOxoY7
=6Dz3
-----END PGP SIGNATURE-----