.autorelabel on mounted filesystems
Daniel J Walsh
dwalsh at redhat.com
Tue Sep 7 15:01:43 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/05/2010 02:20 PM, Paul Howarth wrote:
> On Thu, 02 Sep 2010 10:40:05 -0400
> Daniel J Walsh <dwalsh at redhat.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 08/27/2010 04:14 AM, Paul Howarth wrote:
>>> On 27/08/10 07:12, Daniel B. Thurman wrote:
>>>>
>>>> I have several versions of root distro partitions of which I do
>>>> mount via fstab, but of course only one / and /boot partition
>>>> is to be defined for the version to be booted.
>>>>
>>>> What I would like to know is, if I do an /.autorelabel,
>>>> for one boot/root partition, does this mean that every
>>>> mounted filesystem that appears in /etc/fstab also gets
>>>> relabeled? If so, this is not what I want especially if
>>>> other root distro partitions are being mounted for example,
>>>> say: /md/{distro1, distro2, ...}
>>>>
>>>> So, How do I get around this? I could comment out
>>>> all entries in /etc/fstab except / and /boot (plus the
>>>> required entries), touch /.autorelabel, reboot, and once
>>>> relabeling is completed, then add back in the commented
>>>> out fstab entries, then issue a mount -a. Could I add an option
>>>> entry say: NO_RELABEL to certain fstab entries?
>>>>
>>>> Since I was introduced to the /media since F9, I never could
>>>> figure out how to add mounted "media" filesystems, which
>>>> is why I added them instead to fstab.
>>>>
>>>> How do I solve this issue?
>>>
>>> I create a local policy module for this sort of thing, with a file
>>> contexts entry like this:
>>>
>>> # Don't touch stuff here
>>> /srv/homes(/.*)? <<none>>
>>>
>>> So you could have:
>>> ::::::::::::::
>>> otherdistros.fc
>>> ::::::::::::::
>>> /md/distro1(/.*)? <<none>>
>>> /md/distro2(/.*)? <<none>>
>>>
>>> ::::::::::::::
>>> otherdistros.te
>>> ::::::::::::::
>>> policy_module(otherdistros, 0.0.1)
>>>
>>> Building and installing that module should do the trick.
>>>
>>> Paul.
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>> I have blogged on this.
>>
>> http://danwalsh.livejournal.com/38157.html
>
> I used to use semanage for this but I find using local policy modules
> better for maintainability - it's easier to add, remove, and change
> multiple default contexts in one go and it's easy to see what I have
> that's different from the stock policy.
>
> Paul.
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Good point. I wanted to point to different ways of doing the same
thing. What I have not experimented with is, does restorecon stop as
soon as it hits a <<none>> matchpathcon?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyGU9cACgkQrlYvE4MpobOLqgCfbJbaBdTFNtZZ4vdqTrVTf3bI
hj0AoI6bkGRcz5VuIaL1UHzd0ZrT5SdQ
=pMr2
-----END PGP SIGNATURE-----
More information about the selinux
mailing list