fcontext nightmare - Help please?

Daniel J Walsh dwalsh at redhat.com
Mon Aug 20 09:59:48 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/19/2012 04:24 PM, Tom London wrote:
> On Tue, Aug 14, 2012 at 2:21 PM, Dominick Grift <dominick.grift at gmail.com>
> wrote:
>> You might want to check out the semanage --equiv option. (man semanage)
>> 
>> That basically allows you to alias existing file context structures:
>> 
>> heres an example from man semanage:
>> 
>> For home directories under top level directory, for example /disk6/home, 
>> execute the following commands. # semanage fcontext -a -t home_root_t
>> "/disk6" # semanage fcontext -a -e /home /disk6/home # restorecon -R -v
>> /disk6
>> 
>> so in your case you might want to make /data equivalent to / or 
>> something
>> 
>> semanage fcontext -a -e / /data restorecon -R -v -F /data
>> 
>> That should label /data root_t, /data/var var_t, /data/var/lib var_lib_t 
>> etc.
>> 
>> just as if it was your main file system.
>> 
> 
> So this sounds exactly what i would like to do with my Luks encrytped USB
> back up drive.
> 
> Unfortunately, I'm stumbling across the fact that the drive is 
> 'automagically' mounted (when I login or power it on), and it gets mounted
> on /run/media/tbl/Backup1TB:
> 
> /dev/mapper/luks-94a9d7d7-f819-4c2c-b735-81bb28db0426 on 
> /run/media/tbl/Backup1TB type ext4 
> (rw,nosuid,nodev,relatime,seclabel,data=ordered,uhelper=udisks2)
> 
> The 'semanage -e' command spews:
> 
> [root at tlondon ~]# semanage fcontext -a -e / /run/media/tbl/Backup1TB/X200 
> /sbin/semanage: File spec /run/media/tbl/Backup1TB/X200 conflicts with 
> equivalency rule '/run /var/run'; Try adding 
> '/var/run/media/tbl/Backup1TB/X200' instead [root at tlondon ~]#
> 
> Appears that '/var/run/media' doesn't exist on my system (I guess /run and
> /var/run are not really 'equivalent'?).
> 
> This an issue with my system (e.g., do I need an explicit entry in fstab or
> some such)? With the scaffolding that deals with /run and /var/run? Other?
> Should this work?
> 
> Thanks, tom
> 
Yes it is telling you about a double equivalence.  systemd guys have suggested
that we reverse the equivalence. since /var/run does not really exist anymore,
they suggested we move to /var/run -> /run rather then what we currently have
/run -> /var/run.  My concern with this switch would be if users/package
developers had already added file context for /var/run
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAyCpMACgkQrlYvE4MpobO5wgCfdRVrB/xGOiHjCME8jX9wUYOC
sw4AoOVSv9uAKByYi7c0UVNn2hwX5k/E
=x56+
-----END PGP SIGNATURE-----

More information about the selinux mailing list