11 a.m.
I'm having some problems with some of my filesystem labeling. I'm running
FC3 with the latest SELinux updates (but not rawhide).
When I run #make relabel, /home gets labeled as default_t. However, when I
run #/sbin/restorecon /home, /home gets labeled as home_root_t. This
confuses me, since according to the O'Reilly book both commands refer to
/src/policy/file_contexts/file_contexts. Where else might /sbin/restorecon
be getting its information from?
Furthermore, I notice that /src/policy/file_contexts/file_contexts does not
contain the string home_root_t. I suppose that home_root_t comes from the
homedir_template file during the Make process, but then why doesn't #make
relabel correctly label /home?
I also notice that my context/files/file_contexts file is stale. Doing
#make relabel or #make reload doesn't update it. Does this file ever get
referenced anyway, since all the relabeling utilities seem to use
/src/policy/file_contexts/file_contexts instead? If it does get used, who
uses it? And how can I be sure it gets updated to match
src/policy/file_contexts/file_contexts?
Any help in demystifying the file labeling procedure is appreciated!
Thanks,
Stephen Brueckner, ATC-NY
11:09 a.m.
On Mon, 2005-06-27 at 12:00 -0400, Steve Brueckner wrote:
When I run #make relabel, /home gets labeled as default_t. However,
when I
run #/sbin/restorecon /home, /home gets labeled as home_root_t. This
confuses me, since according to the O'Reilly book both commands refer to
/src/policy/file_contexts/file_contexts. Where else might /sbin/restorecon
be getting its information from?
restorecon doesn't rely on having policy sources
(selinux-policy-targeted-sources) installed. It uses the installed
file_contexts configuration created by the policy
(selinux-policy-targeted) package. That lives
under /etc/selinux/targeted/contexts/files.
make relabel is run from the policy sources directory, and thus works
from the policy sources. But fixfiles and restorecon are what you would
typically use on a production system, and they operate on the installed
file. A make install in the policy sources directory should overwrite
the installed file with the one built from the sources directory, but it
sounds like you shouldn't do that at present, as it sounds as though
there is something wrong with your policy sources (or possibly the
associated build tools, e.g. genhomedircon from policycoreutils).
I also notice that my context/files/file_contexts file is stale.
Doing
#make relabel or #make reload doesn't update it. Does this file ever get
referenced anyway, since all the relabeling utilities seem to use
/src/policy/file_contexts/file_contexts instead? If it does get used, who
uses it? And how can I be sure it gets updated to match
src/policy/file_contexts/file_contexts?
SELinux utilities don't rely on having the policy sources available, as
you likely don't want them on production systems. make relabel is
really only for developers, and hardly used at all anymore (it predates
having fixfiles and restorecon).
--
Stephen Smalley
National Security Agency
11:13 a.m.
When I run #make relabel, /home gets labeled as default_t. However,
when I
run #/sbin/restorecon /home, /home gets labeled as home_root_t. This
confuses me, since according to the O'Reilly book both commands refer to
/src/policy/file_contexts/file_contexts. Where else might /sbin/restorecon
be getting its information from?
Not sure, but I thought make relabel skipped /home entirely.
Furthermore, I notice that /src/policy/file_contexts/file_contexts
does not
contain the string home_root_t. I suppose that home_root_t comes from the
homedir_template file during the Make process, but then why doesn't #make
relabel correctly label /home?
That sounds like a bug, but I'm not seeing the same thing on rawhide.
Then again, I run strict policy.
home_root_t goes into file_contexts.homedirs
(and that gets created from the template)
I also notice that my context/files/file_contexts file is stale.
Doing
#make relabel or #make reload doesn't update it.
I think that was fixed in rawhide.
Try make install?
Does this file ever get
referenced anyway, since all the relabeling utilities seem to use
/src/policy/file_contexts/file_contexts instead?
They do?
Nothing should be using that file, except
things involved in installing the policy sources.
If it does get used, who
uses it? And how can I be sure it gets updated to match
src/policy/file_contexts/file_contexts?
make load *should* be sufficient, but you
might be seeing a bug - try make install.
Any help in demystifying the file labeling procedure is appreciated!
Hopefully others on this list can help you more, but basically,
everything should be using contexts/files/file_contexts, and
the file_contexts.homedirs. Nothing should be using the src file -
that's strictly policy sources.
6871
days inactive
6871
days old
selinux@lists.fedoraproject.org
2 comments
3 participants
participants (3)
-
Ivan Gyurdiev -
Stephen Smalley -
Steve Brueckner