Re: .autorelabel on mounted filesystems

On Thu, 02 Sep 2010 10:40:05 -0400 Daniel J Walsh <dwalsh(a)redhat.com&gt; wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 08/27/2010 04:14 AM, Paul Howarth wrote: >> On 27/08/10 07:12, Daniel B. Thurman wrote: >>> >>> I have several versions of root distro partitions of which I do >>> mount via fstab, but of course only one / and /boot partition >>> is to be defined for the version to be booted. >>> >>> What I would like to know is, if I do an /.autorelabel, >>> for one boot/root partition, does this mean that every >>> mounted filesystem that appears in /etc/fstab also gets >>> relabeled? If so, this is not what I want especially if >>> other root distro partitions are being mounted for example, >>> say: /md/{distro1, distro2, ...} >>> >>> So, How do I get around this? I could comment out >>> all entries in /etc/fstab except / and /boot (plus the >>> required entries), touch /.autorelabel, reboot, and once >>> relabeling is completed, then add back in the commented >>> out fstab entries, then issue a mount -a. Could I add an option >>> entry say: NO_RELABEL to certain fstab entries? >>> >>> Since I was introduced to the /media since F9, I never could >>> figure out how to add mounted "media" filesystems, which >>> is why I added them instead to fstab. >>> >>> How do I solve this issue? >> >> I create a local policy module for this sort of thing, with a file >> contexts entry like this: >> >> # Don't touch stuff here >> /srv/homes(/.*)? <<none>> >> >> So you could have: >> :::::::::::::: >> otherdistros.fc >> :::::::::::::: >> /md/distro1(/.*)? <<none>> >> /md/distro2(/.*)? <<none>> >> >> :::::::::::::: >> otherdistros.te >> :::::::::::::: >> policy_module(otherdistros, 0.0.1) >> >> Building and installing that module should do the trick. >> >> Paul. >> -- >> selinux mailing list >> selinux(a)lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > I have blogged on this. > > http://danwalsh.livejournal.com/38157.html I used to use semanage for this but I find using local policy modules better for maintainability - it's easier to add, remove, and change multiple default contexts in one go and it's easy to see what I have that's different from the stock policy. Paul. -- selinux mailing list selinux(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyGU9cACgkQrlYvE4MpobOLqgCfbJbaBdTFNtZZ4vdqTrVTf3bI hj0AoI6bkGRcz5VuIaL1UHzd0ZrT5SdQ =pMr2 -----END PGP SIGNATURE-----