Experiences with selinux enabled targetted on Fedora Core 3
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Tue Apr 19 02:25:58 UTC 2005
On Mon, 18 Apr 2005 20:36:40 +1000, Russell Coker said:
> On Tuesday 22 February 2005 12:15, Valdis.Kletnieks at vt.edu wrote:
> > At least at one point in time, I was seeing random avc errors on mount
> > points that made absolutely no sense - I'd do an 'ls -Z' and it would look
> > OK. Finally twigged in that I needed to unmount the file system, relabel
> > the *directory*, and then remount. Seem to remember /usr/share and
> > /usr/local biting me that way (/, /usr, /usr/local, and /usr/share are 4
> > different file systems on my box).
>
> In those cases a dontaudit rule will usually do the job. If the file system
> is not mounted then there's nothing that the application can usefully do
> under the mount point and usually ENOENT and EACCESS usually get the same
> code paths in most applications that try to open files.
In my case, actually labelling the directories correctly was the better fix.
What I got bit by was that all previous relabels had happened with filesystems
mounted - so (for instance) the directory seen as /usr got labelled as usr_t.
During early boot, I'd have a complaint about it being something else, I'd go
back and check it, and it was usr_t. Finally brought the box up in very
single-user, unmounted /usr - and the underlying directory *wasn't* usr_t... ;)
Found out /boot and /var had similar issues, cleared up by relabelling the
mountpoint directories...
Not sure if/how to fix this for the general case - it almost requires multiple
passes - first labelling / (so mountpoint dirs like /boot and /usr and /var get
labelled), then mounting those filesystems and labelling them, then repeating
for any subdirs (on my laptop, /usr/share and /usr/local bit me, on another
box that hosts a database it's /var/lib/mysql).
(For all I know, the current 'filesystems' RPM gets this all correct for new
systems and boot-from-CD based upgrades, and I got bit only because I've just
'rpm -Fvh'-ed all the way along, and not done a clean install).
Personally, I'm not thrilled by the idea of sticking in dontaudit rules to
quiet complaints at boot time that are caused by directories that are mislabelled.
Thoughts?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050418/13f28e15/attachment.sig>
More information about the fedora-selinux-list
mailing list