F20 System Wide Change: Enable SELinux Labeled NFS Support
Daniel J Walsh
dwalsh at redhat.com
Fri Jul 26 10:54:16 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/26/2013 03:40 AM, Florian Weimer wrote:
> On 07/25/2013 08:55 PM, Daniel J Walsh wrote:
>
>> Labels are applied based on the client rules. Which does bring up an
>> interesting idea of what happens if the server initiates a relabel.
>
> Can we make sure that there's a good chance that the NFS exports reside
> under a tree that is not subject to relabeling? Otherwise, that operation
> would be rather destructive and even insecure.
>
I don't think so. In the case of remote users directory this is likely but I
don't see anyway we can get an server admin to put exported content under a
directory path that is labeled correctly on both the client and server. Of
course we can recommend this, or explain /etc/selinux/fixfiles_exclude_dirs
which he can setup to prevent this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlHyVVgACgkQrlYvE4MpobOrmgCeLl5nA8tjN/02iC7qUBNnecKO
pEwAn2SqfutigDOcXXgr4YN0wogqu9CF
=LERT
-----END PGP SIGNATURE-----
More information about the devel
mailing list