Re: NFS Home Directory Files Mis-Labelled
On 7 May 2013, at 02:04, yersinia wrote:
Restorecond perhaps can help here
best
2013/5/6, Manuel Wolfshant <wolfy(a)nobugconsulting.ro>:
> On 05/06/2013 10:57 PM, Mike Pinkerton wrote:
>>
>> On 6 May 2013, at 15:25, Daniel J Walsh wrote:
>>
>>> We should bring this up for discussion on the mail list, but I
>>> guess
>>> until we
>>> get labeling NFS we can not do anything about it. The server does
>>> not know
>>> what the label of the client process is running with.
>>
>> The server does the right thing some of the time. In the same home
>> directory, I'll see some files with "unconfined_u" and others with
>> "system_u".
>>
>> I suppose until y'all figure this out, I'll set up a cron job to run
>> "restorecon -FR /srv" on the file server every night.
> As an alternative workaround you could rely on inotify to trigger a
> relabel each time a file is created
My understanding is that inotify is not itself recursive, although
"inotifywait -r" will recursively create inotify watches on up to
8192 subdirectories.
My NFS-mounted home directories are in a tree with over 2,400
subdirectories. So inotifywait should work but will probably take
considerable resources.
From the man page, I assume that restorecond will use inotify to
watch files listed in /etc/selinux/restorecond.conf. Is restorecond
recursive like inotifywait? Will adding "/srv/exports/*" to
restorecond.conf cause restorecond to recursively watch all 2,400+
subdirectories?
Thanks for all the great workaround ideas.
--
Mike