Re: fcontext nightmare - Help please?
You might want to check out the semanage --equiv option. (man semanage)
That basically allows you to alias existing file context structures:
heres an example from man semanage:
For home directories under top level directory, for
example /disk6/home,
execute the following commands.
# semanage fcontext -a -t home_root_t "/disk6"
# semanage fcontext -a -e /home /disk6/home
# restorecon -R -v /disk6
so in your case you might want to make /data equivalent to / or
something
semanage fcontext -a -e / /data
restorecon -R -v -F /data
That should label /data root_t, /data/var var_t, /data/var/lib var_lib_t
etc.
just as if it was your main file system.
On Tue, 2012-08-14 at 17:04 -0400, Edward Harvey wrote:
I'm managing an amazon virtual machine, with 8G / partition, and
a
larger secondary storage device attached. I enabled selinux, and I'm
trying to make things work (and keep things secure) while migrating
some things such as the ldap & mysql directories to the second device.
As far as I know, simply extending the / partition isn't an option
(not LVM) ... Conceivably I could just make a clone larger machine,
but there are a lot of advantages to having the separate storage
device... which can be LVM, and prevents the / filesystem from getting
filled up, and can be detached/reattached to other machines, etc etc.
So I'm trying like heck to keep the second storage device separate.
Here's the problem:
I mount /data, and now I've got to move & preserve things like
the /var/lib/mysql directory to a subdir of /data, while preserving
selinux types and everything. I started out by simply mimicking the /
structure ...
sudo mount /data
sudo mkdir -p /data/var/lib
sudo chown --reference=/ /data
sudo chcon --reference=/ /data
sudo chmod --reference=/ /data
sudo chown --reference=/var /data/var
sudo chcon --reference=/var /data/var
sudo chmod --reference=/var /data/var
sudo chown --reference=/var/lib /data/var/lib
sudo chcon --reference=/var/lib /data/var/lib
sudo chmod --reference=/var/lib /data/var/lib
And finally
cd /var/lib ; sudo tar cpf - --selinux mysql |
(cd /data/var/lib ; sudo tar xpf - --selinux) ; cd -
I understand that chcon is not persistent...
And after all the above was done, I meticulously examined all the
contexts of all those directories and confirmed they do match the
original...
Unfortunately, as soon as I start mysqld, the context
of /data/var/lib/mysql gets reset. I don't know how or why that is
happening, but I presume it's because I haven't set the fcontext.
So ...
I want to write a script that walks through the whole /var/lib/mysql
directory, and creates matching fcontexts for /data/var/lib/mysql.
Better yet ... I would like to create fcontext applied to /data which
is a complete replica of /
Here is where I'm getting stuck. I can do "semanage fcontext -l" and
I see all the information, but it's not in a format that's suitable to
modify and feed back into semanage. I can do "semanage -o -" but it
only says "fcontext -D" which is not helpful.
I can't seem to find any combination of commands that will allow me to
get all the fcontexts of / (or a relatively large subdir of /) and
modify them with the /data prefix to feed back into semanage.
Help please?
Thanks...
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux