SElinux concerning symlink?
Craig White
craigwhite at azapple.com
Thu Jul 24 21:27:13 UTC 2008
On Thu, 2008-07-24 at 21:11 +0000, Mike wrote:
> Craig White <craigwhite <at> azapple.com> writes:
>
> > > Hence there seems to be a bug in the SELinux policy on this issue?
> > ----
> > I would doubt that.../opt is not a usual place for users $home
> > directories and thus the policy for files in that tree would not be
> > suitable for the method you are using.
>
> You may well be right - I installed F9 on another machine where I have
> the user areas in a pre-existing /home partition and this worked without
> issues.
>
> However there must be a way to work around the problem?
>
> I know I could re-partition and make a new partition for /home and a
> separate partition for /opt - but that would be hard work at this stage.
>
> Or I could in future make /home a partition and then make a subdirectory
> /home/opt and symlink that to /opt - but that may then lead to other
> problems that I have not come to at this stage using SELinux....
>
> It seems that using SELinux opens up issues that I had never previously
> though about... and if there is no easy workaround then I would be pushed
> into switching off SELinux again which would be a shame.
----
you probably just need to duplicate the contexts that they would have as
if they were in the 'home' directory...
$ ls -lZ /home/craig/.ssh
-rw------- craig craig user_u:object_r:user_home_t
client.id_dsa.key
-rw------- craig craig user_u:object_r:user_home_t id_dsa
-rw-rw-r-- craig craig unconfined_u:object_r:user_home_t
id_dsa.keystore
-rw-r--r-- craig craig unconfined_u:object_r:user_home_t id_dsa.pub
-rw------- craig craig unconfined_u:object_r:user_home_t id_rsa
-rw-rw-r-- craig craig unconfined_u:object_r:user_home_t
id_rsa.keystore
-rw-r--r-- craig craig unconfined_u:object_r:user_home_t id_rsa.pub
-rw------- craig craig user_u:object_r:user_home_t known_hosts
but the issue of policy is that these are not the settings these files
would get if they were located in /opt.
That's why you need to go to the selinux-list because they might have
some good ideas
Craig
More information about the fedora-list
mailing list