SElinux on upgraded machines

Chuck Anderson cra at WPI.EDU
Fri Dec 12 14:59:00 UTC 2008 

On Fri, Dec 12, 2008 at 06:36:42AM -0800, Mike Cloaked wrote:
> Chuck Anderson-7 wrote:
> > No, this would be bad.  Fresh installs of F9 or F10 work just fine 
> > with SELinux enabled as a desktop system, as long as you don't try to 
> > integrate older filesystems or NFS as the OP stated.  Even /home 
> > migrates cleanly with just a simple restorecon -R /home in most cases.
> 
> In my case I have a separate /opt partition containing a /home directory
> which is not touched during installs.
> In this case I have to link in /opt/Local/home on the /opt partition to
> /home on the root partition to get the user areas onto the new system.

Bind mounts are preferred:

mount --bind /opt/Local/home /home 

You can add this to /etc/fstab.  It goes something like this, but I 
might have the exact syntax wrong:

/opt/Local/home	/home	bind

> In the old days moving /home out of the way and symlinking /opt/Local/home
> to /home was all that was necessary to get back running for the users (apart
> from restoring the user lines in /etc/passwd and related files).  With
> SElinux enabled this does not work as far as I can tell, and it is necessary
> to bind mount /home to /opt/Local/home - but I am not sure if then a
> restorecon will fix everything up?  I then had to go carefully through all

Yes, once bind mounted, it acts exactly like it is mounted on /home.

> the directories to check contexts were right, and I do now have two F9
> machines and two F10 machines running with SElinux enabled using this
> technique... but it depends what else is stored on the original /opt
> partition apart from /opt/Local/other_stuff and /opt/otherstuff !

Why?  Bind mounts only graft the subtree to the new location.  The 
other stuff in /opt is untouched (and the original /opt/Local/home is 
still there too).  If you want to make non-standard stuff in /opt 
work, then you will need to write policy or at least file label rules 
with "semanage fcontext".

> I expect that the amount of work over the years in getting programs and data
> stored in such partitions is huge and many old hands will only contemplate
> transitioning to SElinux if that pain is minimised.  I made a conscious
> decision to go that route and it did add a lot of hours but I am now much
> happier that I now have SElinux enabled machines - but it is certainly a
> learning curve. 

Agreed.  It is easiest to stick with standard stuff, Fedora-maintained 
packages installed in correct FHS-locations, etc.  Then you can 
benefit from the work others have done, instead of having to 
roll-your-own all the time and struggle to keep up with system 
changes.  That's the point of a distribution, isn't it?

More information about the fedora-test-list mailing list