12:35 p.m.
restorecon doesn't rely on having policy sources
(selinux-policy-targeted-sources) installed. It uses the installed
file_contexts configuration created by the policy
(selinux-policy-targeted) package. That lives
under /etc/selinux/targeted/contexts/files.
Aha, I think the O'Reilly book is just out of date. Not surprising
considering the moving target that is SELinux.
SELinux utilities don't rely on having the policy sources
available,
as you likely don't want them on production systems. make relabel is
really only for developers, and hardly used at all anymore (it
predates having fixfiles and restorecon).
Actually I am developing here. My problem is that I have a huge chroot
directory (basically a full duplicate of the whole system) and I want to get
everything in there labeled as if it was outside chroot. To do this I
duplicated file_contexts/types.fc and used sed to prepend the chroot
directory to every line. It seems to work pretty well, but I'm still having
trouble getting the user home directories inside chroot labeled properly.
The homedirs macros and files are apparently throwing me.
I'd appreciate any suggestions on a better way to label the chroot
filesystem. And any ideas on how to get those chrooted homedirs labeled
correctly.
Stephen Brueckner, ATC-NY
12:58 p.m.
New subject: the labeling procedure
On Mon, 2005-06-27 at 13:35 -0400, Steve Brueckner wrote:
Actually I am developing here. My problem is that I have a huge
chroot
directory (basically a full duplicate of the whole system) and I want to get
everything in there labeled as if it was outside chroot. To do this I
duplicated file_contexts/types.fc and used sed to prepend the chroot
directory to every line. It seems to work pretty well, but I'm still having
trouble getting the user home directories inside chroot labeled properly.
The homedirs macros and files are apparently throwing me.
I'd appreciate any suggestions on a better way to label the chroot
filesystem. And any ideas on how to get those chrooted homedirs labeled
correctly.
If you want to apply the same contexts, you can use setfiles -r.
But note that there can be an advantage to using separate types on the
chroot'd environment, and then not allowing any access by that process'
domain to the base types used on the real filesystem.
Any chance you can update to FC4?
--
Stephen Smalley
National Security Agency
7:30 p.m.
New subject: the labeling procedure
On Mon, 2005-06-27 at 13:35 -0400, Steve Brueckner wrote:
Aha, I think the O'Reilly book is just out of date. Not
surprising
considering the moving target that is SELinux.
Unfortunately it was somewhat out of date when it was published. It is
based on FC2, which has a different architecture than FC3/FC4.
For FC3, the Red Hat SELinux Guide[1] is a fairly good reference choice.
Note that it matches FC3 as released, not with updates, so there is a
difference for FC3 current.
There is going to be another correlation between FC releases and the
RHEL documentation on SELinux, whenever that occurs. :)
- Karsten
[1] http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
--
Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
Red Hat SELinux Guide
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
5755
days inactive
5767
days old
selinux@lists.fedoraproject.org
2 comments
3 participants
participants (3)
-
Karsten Wade -
Stephen Smalley -
Steve Brueckner