F20 System Wide Change: Enable SELinux Labeled NFS Support
Toshio Kuratomi
a.badger at gmail.com
Mon Jul 29 17:42:44 UTC 2013
On Fri, Jul 26, 2013 at 06:54:16AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 07/26/2013 03:40 AM, Florian Weimer wrote:
> > On 07/25/2013 08:55 PM, Daniel J Walsh wrote:
> >
> >> Labels are applied based on the client rules. Which does bring up an
> >> interesting idea of what happens if the server initiates a relabel.
> >
> > Can we make sure that there's a good chance that the NFS exports reside
> > under a tree that is not subject to relabeling? Otherwise, that operation
> > would be rather destructive and even insecure.
> >
> I don't think so. In the case of remote users directory this is likely but I
> don't see anyway we can get an server admin to put exported content under a
> directory path that is labeled correctly on both the client and server. Of
> course we can recommend this, or explain /etc/selinux/fixfiles_exclude_dirs
> which he can setup to prevent this.
>
<nod> I think that it may not be immediately obvious to admins what all the
caveats to using this are. Having good documentation of the implications of
the Change and pointing to that in the Release Notes seems very important to
inform admins of what to expect.
Just for the technical aspect of the change, this seems like a great
improvement :-)
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130729/5bdde408/attachment.sig>
More information about the devel
mailing list