SElinux on upgraded machines

Mike Cloaked mike.cloaked at gmail.com
Fri Dec 12 15:15:51 UTC 2008 



Chuck Anderson-7 wrote:
> 
> 
>> technique... but it depends what else is stored on the original /opt
>> partition apart from /opt/Local/other_stuff and /opt/otherstuff !
> 
> Why?  Bind mounts only graft the subtree to the new location.  The 
> other stuff in /opt is untouched (and the original /opt/Local/home is 
> still there too).  If you want to make non-standard stuff in /opt 
> work, then you will need to write policy or at least file label rules 
> with "semanage fcontext".
> 
> 

Exactly - as an example I happen to use crossover to run the "other" office
applications, and this sits in /opt/cxoffice - in order to make this work
without avc denials I had to semanage fcontext to add a context  of
textrel_shlib_t for that directory and its subdirectories to stop particular
denials.

I guess that installing from scratch in the same area would create correct
contexts (maybe ?) but that is 3rd party software so may not follow Fedora
targeted policy?

Mostly of course packages are likely to come from either Fedora repos or
related repos such as RPMFusion but some people will install other packages
and expect them to work also - eg video packages or other things that are
installed from tarballs, or compiled.  I guess if people find bugs they can
post upstream and hope that problems are resolved there in that kind of
situation, or is that naive?

Another instance I had was to put mail spool files that I keep from local
imap stored in /opt/Local/spool/mail and bind mount to /var/spool/mail and
again the contexts had to be changed to mail_spool_t but I doubt if a
restorecon on the raw /opt partition would set the contexts automatically
before they are bind mounted onto the root partition area.

Either way as you say if you know what you are doing then you can indeed
work with it. One interesting statistic might be to know what percentage of
Fedora systems are currently running SElinux enabled?

I wonder if this information could be found?  
-- 
View this message in context: http://www.nabble.com/SElinux-on-upgraded-machines-tp20973024p20977613.html
Sent from the Fedora Test List mailing list archive at Nabble.com.

More information about the fedora-test-list mailing list