NFS Home Directory Files Mis-Labelled

Daniel J Walsh dwalsh at redhat.com
Tue May 7 14:25:44 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/07/2013 10:21 AM, Mike Pinkerton wrote:
> 
> On 7 May 2013, at 02:04, yersinia wrote:
> 
>> Restorecond perhaps can help here
>> 
>> best
>> 
>> 2013/5/6, Manuel Wolfshant <wolfy at nobugconsulting.ro>:
>>> On 05/06/2013 10:57 PM, Mike Pinkerton wrote:
>>>> 
>>>> On 6 May 2013, at 15:25, Daniel J Walsh wrote:
>>>> 
>>>>> We should bring this up for discussion on the mail list, but I
>>>>> guess until we get labeling NFS we can not do anything about it.
>>>>> The server does not know what the label of the client process is
>>>>> running with.
>>>> 
>>>> The server does the right thing some of the time.  In the same home 
>>>> directory, I'll see some files with "unconfined_u" and others with 
>>>> "system_u".
>>>> 
>>>> I suppose until y'all figure this out, I'll set up a cron job to run 
>>>> "restorecon -FR /srv" on the file server every night.
>>> As an alternative workaround you could rely on  inotify to trigger a 
>>> relabel each time a file is created
> 
> 
> My understanding is that inotify is not itself recursive, although
> "inotifywait -r" will recursively create inotify watches on up to 8192
> subdirectories.
> 
> My NFS-mounted home directories are in a tree with over 2,400
> subdirectories. So inotifywait should work but will probably take
> considerable resources.
> 
> From the man page, I assume that restorecond will use inotify to watch
> files listed in /etc/selinux/restorecond.conf.  Is restorecond recursive
> like inotifywait?  Will adding "/srv/exports/*" to restorecond.conf cause
> restorecond to recursively watch all 2,400+ subdirectories?
> 
> Thanks for all the great workaround ideas.
> 
No restorecond will not do this.  It is not recursive, and I think you would
have considerable problems with it as far as resources.  Best to run
restorecon periodically.   But again from an SELinux point of view there is no
difference between system_u and unconfined_u, no policy that Fedora ships
cares about the SELinux User componant on files on disk.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGJDugACgkQrlYvE4MpobM4QgCeLfNKyWB7pfHxI6ji997y9LXS
oekAnipbjTAHVMpWWQ3z/dS5ADJ3xQHR
=hJI6
-----END PGP SIGNATURE-----

More information about the selinux mailing list