.autorelabel on mounted filesystems
Daniel B. Thurman
dant at cdkkt.com
Thu Sep 2 17:45:46 UTC 2010
On 09/02/2010 07:40 AM, Daniel J Walsh wrote:
> On 08/27/2010 04:14 AM, Paul Howarth wrote:
> > On 27/08/10 07:12, Daniel B. Thurman wrote:
> >>
> >> I have several versions of root distro partitions of which I do
> >> mount via fstab, but of course only one / and /boot partition
> >> is to be defined for the version to be booted.
> >>
> >> What I would like to know is, if I do an /.autorelabel,
> >> for one boot/root partition, does this mean that every
> >> mounted filesystem that appears in /etc/fstab also gets
> >> relabeled? If so, this is not what I want especially if
> >> other root distro partitions are being mounted for example,
> >> say: /md/{distro1, distro2, ...}
> >>
> >> So, How do I get around this? I could comment out
> >> all entries in /etc/fstab except / and /boot (plus the
> >> required entries), touch /.autorelabel, reboot, and once
> >> relabeling is completed, then add back in the commented
> >> out fstab entries, then issue a mount -a. Could I add an option
> >> entry say: NO_RELABEL to certain fstab entries?
> >>
> >> Since I was introduced to the /media since F9, I never could
> >> figure out how to add mounted "media" filesystems, which
> >> is why I added them instead to fstab.
> >>
> >> How do I solve this issue?
>
> > I create a local policy module for this sort of thing, with a file
> > contexts entry like this:
>
> > # Don't touch stuff here
> > /srv/homes(/.*)? <<none>>
>
> > So you could have:
> > ::::::::::::::
> > otherdistros.fc
> > ::::::::::::::
> > /md/distro1(/.*)? <<none>>
> > /md/distro2(/.*)? <<none>>
>
> > ::::::::::::::
> > otherdistros.te
> > ::::::::::::::
> > policy_module(otherdistros, 0.0.1)
>
> > Building and installing that module should do the trick.
>
> > Paul.
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> I have blogged on this.
>
> http://danwalsh.livejournal.com/38157.html
Yes, its good to know, and it should help users who
are faced with similar situations.
My choice was to update only the fstab file for each and
every mount entry. The only question in my mind is by
having different fstabs; could relabels occur depending on
which OS is booted or are the context a mask, and leaves
the "actual unlying context" alone?
For example:
1) F12: /etc/fstab:
LABEL=RF12D1 / ext4
defaults 1 1
LABEL=BF12D1 /boot ext4
defaults 1 2
[...]
LABEL=RF13D3 /md/RF13D3 ext4
context=system_u:object_r:root_t:s0,defaults 0 0
2) F13: /etc/fstab:
LABEL=RF13D3 / ext4
defaults 1 1
LABEL=BF13D3 /boot ext4
defaults 1 2
[...]
LABEL=RF12D1 /md/RF12D1 ext4
context=system_u:object_r:root_t:s0,defaults 0 0
Does this mean that if I boot F12, RF13D3 / partition would be
relabeled as root_t, and if I boot F13, RF12D1 / partition would
be relabled as root_t? I note that the entire mounted /md/X file
contents are seen as root_t context. Could this cause any problems?
It is interesting to note that for /md/X/ mounted filesystem, a root
user cannot change the / files, whereas / subdirectory files can be
changed/modified.
The workaround is to unmount the /md/X filesystem, remounting it
as default, make the change, unmount again, and then mount -a OR
simply reboot to the OS and make the changes in the normal way.
But as it is, it seems to work well, and more importantly, only / and
/boot are relabeled if /.autorelabel is touched; all other /md mounts
are not traversed during the auto-relabeling phase AFAIK because
all I see is stars (*).
Thanks for your help!
Dan
More information about the selinux
mailing list