.autorelabel on mounted filesystems
by Dan Thurman
I have several versions of root distro partitions of which I do
mount via fstab, but of course only one / and /boot partition
is to be defined for the version to be booted.
What I would like to know is, if I do an /.autorelabel,
for one boot/root partition, does this mean that every
mounted filesystem that appears in /etc/fstab also gets
relabeled? If so, this is not what I want especially if
other root distro partitions are being mounted for example,
say: /md/{distro1, distro2, ...}
So, How do I get around this? I could comment out
all entries in /etc/fstab except / and /boot (plus the
required entries), touch /.autorelabel, reboot, and once
relabeling is completed, then add back in the commented
out fstab entries, then issue a mount -a. Could I add an option
entry say: NO_RELABEL to certain fstab entries?
Since I was introduced to the /media since F9, I never could
figure out how to add mounted "media" filesystems, which
is why I added them instead to fstab.
How do I solve this issue?
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
13 years, 7 months
Re: wine preloader? being denied by selinux
by Dominick Grift
On Wed, Sep 01, 2010 at 08:36:22PM -0400, Genes MailLists wrote:
> On 09/01/2010 07:24 PM, Dominick Grift wrote:
> > On Wed, Sep 01, 2010 at 03:49:14PM -0700, Antonio Olivares wrote:
>
> ..
>
> >>
> >> Fix Command:
> >>
> >> /usr/sbin/setsebool -P mmap_low_allowed 1
> >>
> >
> > There is a boolean that one can toggle to silently deny this access vector:
> >
> > setsebool -P wine_mmap_zero_ignore on
> >
> > Again, This will not allow wine to mmap low (which is a dangerous ability), but instead it will hide attempt by wine to do so.
>
>
> It would feel a lot less worrisome if the prev bool was resricted to
> wine only in case of need:
>
> setsebool -P wine_mmap_low_allowed 1
>
> instead of mmap_low_allowed
It is not like every process is allowed to mmap low when mmap_low_allowed is set to true.
Only few domains are tagged to be allowed this access:
vbetool
wine
unconfined domains
As for unconfined domains: it makes sense that these domains have "unconfined" access. You can remove the unconfined module though, That would turn the unconfined domains into confined domains, and thus if you do that then only vbetool and wime will be allowed to mmap low if you set mmap_low_allowed to true.
>
> gene/
13 years, 7 months