selinux: rhel5 x fedora 14

Thu Jan 13 13:14:46 UTC 2011

On Wed, 2011-01-12 at 21:03 +0000, Paul Howarth wrote:
> On Wed, 12 Jan 2011 13:02:21 -0500
> Daniel J Walsh <dwalsh at redhat.com> wrote:
> > On 01/12/2011 06:29 AM, Paulo Cavalcanti wrote:
> > > Hi,
> > > 
> > > I have two HDs on my computer: one with rhel5 5.5 and the other with
> > > fedora 14.
> > > Both systems share some directories located in a common /home,
> > > mainly used by the httpd process.
> > > 
> > > The problem is that selinux in fedora 14 uses "unrestricted_u" by
> > > default for all users, which rel5 does not understand,
> > > and any file labeled that way is treated as "unlabeled_t" in rhel5.
> > > 
> > > I tried to relabel all files in Fedora 14 using "chcon -R -u user_u
> > > -t user_home_t" , for instance,
> > > but every new file is still created as "unrestricted_u".
> > > 
> > > I know very little about selinux, and I would like to know how to
> > > force all files in F14 to be user_u,
> > > but keeping the user owning those files, unrestricted.
> > > 
> > > Is that possible? Is there a better solution for not having tons of
> > > denials in rhel5?
> > > 
> > > Thanks.
> > > 
> > > -- 
> > > Paulo Roma Cavalcanti
> > > LCG - UFRJ
> > > 
> > One solution would be to mount with a context on one of the platforms.
> > 
> > On RHEL5 mount the users homedir with a context of nfs_t, and set the
> > boolean to say allow nfs homedirs
> > 
> > 
> > mount -o context="system_u:object_r:nfs_t:s0" /dev/ABC /home
> > setsebool -P use_nfs_home_dirs 1
> 
> What happens with newly-created files whilst booted in RHEL-5 in this
> case? What will Fedora 14 see them as?

Not sure what the RHEL-5 kernel does; in modern kernels, it won't set a
context on disk when creating new files in a filesystem mounted with
context= and thus they will show up as unlabeled if mounted without a
context= mount option in Fedora-14.  You could mount it with a context=
option in both, or run restorecon on it when booting Fedora-14.

-- 
Stephen Smalley
National Security Agency