[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Experiences with selinux enabled targetted on Fedora Core 3



On Mon, 18 Apr 2005 20:36:40 +1000, Russell Coker said:
> On Tuesday 22 February 2005 12:15, Valdis Kletnieks vt edu wrote:
> > At least at one point in time, I was seeing random avc errors on mount
> > points that made absolutely no sense - I'd do an 'ls -Z' and it would look
> > OK. Finally twigged in that I needed to unmount the file system, relabel
> > the *directory*, and then remount.  Seem to remember /usr/share and
> > /usr/local biting me that way (/, /usr, /usr/local, and /usr/share are 4
> > different file systems on my box).
> 
> In those cases a dontaudit rule will usually do the job.  If the file system 
> is not mounted then there's nothing that the application can usefully do 
> under the mount point and usually ENOENT and EACCESS usually get the same 
> code paths in most applications that try to open files.

In my case, actually labelling the directories correctly was the better fix.

What I got bit by was that all previous relabels had happened with filesystems
mounted - so (for instance) the directory seen as /usr got labelled as usr_t.
During early boot, I'd have a complaint about it being something else, I'd go
back and check it, and it was usr_t.   Finally brought the box up in very
single-user, unmounted /usr - and the underlying directory *wasn't* usr_t... ;)
Found out /boot and /var had similar issues, cleared up by relabelling the
mountpoint directories...

Not sure if/how to fix this for the general case - it almost requires multiple
passes - first labelling / (so mountpoint dirs like /boot and /usr and /var get
labelled), then mounting those filesystems and labelling them, then repeating
for any subdirs (on my laptop, /usr/share and /usr/local bit me, on another
box that hosts a database it's /var/lib/mysql).

(For all I know, the current 'filesystems' RPM gets this all correct for new
systems and boot-from-CD based upgrades, and I got bit only because I've just
'rpm -Fvh'-ed all the way along, and not done a clean install).

Personally, I'm not thrilled by the idea of sticking in dontaudit rules to
quiet complaints at boot time that are caused by directories that are mislabelled.

Thoughts?

Attachment: pgp00002.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]