Re: [CentOS] Excluding file systems from autorelabel
27.12.2012 3:03, James A. Peltier kirjoitti: I'm really feeling dense today. I can't find anywhere in the FTP man page anything related to SELinux labels. See man ftpd_selinux. -- Markku Kolkka markku.kol...@iki.fi ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Excluding file systems from autorelabel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/27/2012 06:09 AM, Markku Kolkka wrote: 27.12.2012 3:03, James A. Peltier kirjoitti: I'm really feeling dense today. I can't find anywhere in the FTP man page anything related to SELinux labels. See man ftpd_selinux. Depending on your virsion, you should be able to add an entry like /exports to /etc/selinux/fixfiles_exclude_dirs And fixfiles should exclude this directory. (Autorelabel/rpm updates) grep fixfiles_exclude_dirs /sbin/fixfiles Another way to do this is to add a mount option to the directories mounted at /exports mount -o context=... Autorelabel does not relabel anything mounted with a context option. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDcZTIACgkQrlYvE4MpobOM/QCeOr1NZvQhbvfVv2AbKeXq/4ZN OSYAn3XBY/52nqLQu2fSj+ULai8Lbtn1 =WPMn -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Excluding file systems from autorelabel
- Original Message - | -BEGIN PGP SIGNED MESSAGE- | Hash: SHA1 | | On 12/27/2012 06:09 AM, Markku Kolkka wrote: | 27.12.2012 3:03, James A. Peltier kirjoitti: | | I'm really feeling dense today. I can't find anywhere in the FTP | man | page anything related to SELinux labels. | | See man ftpd_selinux. Yet again, this is about setting a SELinux context and not removing it, or excluding it from SELinux processing entirely. This is NOT what I want to do. Thankfully, Dan Walsh understood the problem and was able to better answer it for me. | Depending on your virsion, you should be able to add an entry like | /exports to | /etc/selinux/fixfiles_exclude_dirs | | And fixfiles should exclude this directory. (Autorelabel/rpm updates) | | grep fixfiles_exclude_dirs /sbin/fixfiles However, on CentOS 5.8 or 6.3 this does not seem to exist on any of the hosts I have. [root@daat ~]# which fixfiles /sbin/fixfiles and [root@daat ~]# grep -i exclude /sbin/fixfiles returns nothing but it does exist in Fedora. | Another way to do this is to add a mount option to the directories | mounted at | /exports | | mount -o context=... | | Autorelabel does not relabel anything mounted with a context option. Ok gotcha! So since I'm trying to understand this better in the context of an NFS file server what would be the best aka least intrusive context (perhaps most permissive is a better term)? Perhaps unconfined_u:object_r:default_t:s0? A secondary question is why is it that semanage fcontext -a -t none /exports(/.*)? did not work? Shouldn't this tell SELinux not to bother with the directory or is it still walking the file system to find files with labels? Thanks for you help in better utilizing SELinux BTW. ;) -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier The smartest people are constantly revising their understanding, reconsidering a problem they thought they’d already solved. They’re open to new points of view, new information, new ideas, contradictions, and challenges to their own way of thinking. - Jeff Bezos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Excluding file systems from autorelabel
On 12/26/2012 4:05 AM, James A. Peltier wrote: I'm trying to find a way to exclude file systems during the autorelabel process. I have a file system (/exports) that has tens of millions of files on it and I *know* I don't want it relabeled. How often do you need to do this? The obvious solution is to comment out the entry in /etc/fstab for the /exports filesystem and then touch /.autorelabel and reboot. When the machine comes back up, remove the comment the entry in /etc/fstab and then do a mount -a. If you want to do this on a regular basis, just script the whole thing, including a script called from /etc/rc.d/rc.local which checks for a semaphore file created by the first script and does the uncomment and mount -a if the first script has been run. Do lots of error checking and don't forget to remove the semaphore file when the system is back up. Run the whole thing out of cron. There may be a more direct way to do what you want, but this is one way to do it using simple shell commands. Hope this helps Harold linux since 1993 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Excluding file systems from autorelabel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/27/2012 03:08 PM, James A. Peltier wrote: - Original Message - | -BEGIN PGP SIGNED MESSAGE- | Hash: SHA1 | | On 12/27/2012 06:09 AM, Markku Kolkka wrote: | 27.12.2012 3:03, James A. Peltier kirjoitti: | | I'm really feeling dense today. I can't find anywhere in the FTP | man | page anything related to SELinux labels. | | See man ftpd_selinux. Yet again, this is about setting a SELinux context and not removing it, or excluding it from SELinux processing entirely. This is NOT what I want to do. Thankfully, Dan Walsh understood the problem and was able to better answer it for me. | Depending on your virsion, you should be able to add an entry like | /exports to | /etc/selinux/fixfiles_exclude_dirs | | And fixfiles should exclude this directory. (Autorelabel/rpm updates) | | grep fixfiles_exclude_dirs /sbin/fixfiles However, on CentOS 5.8 or 6.3 this does not seem to exist on any of the hosts I have. [root@daat ~]# which fixfiles /sbin/fixfiles and [root@daat ~]# grep -i exclude /sbin/fixfiles returns nothing but it does exist in Fedora. | Another way to do this is to add a mount option to the directories | mounted at | /exports | | mount -o context=... | | Autorelabel does not relabel anything mounted with a context option. Ok gotcha! So since I'm trying to understand this better in the context of an NFS file server what would be the best aka least intrusive context (perhaps most permissive is a better term)? Perhaps unconfined_u:object_r:default_t:s0? A secondary question is why is it that semanage fcontext -a -t none /exports(/.*)? did not work? Shouldn't this tell SELinux not to bother with the directory or is it still walking the file system to find files with labels? Thanks for you help in better utilizing SELinux BTW. ;) What does matchpathcon /exports/foobar say after you add that rule? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDcwQQACgkQrlYvE4MpobOZsgCdGfyWtL4szZ6UBsheJUZ1SoG4 LOIAoM9GbIwQZSo7fQN050fINdJd6EBT =n2Qk -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Excluding file systems from autorelabel
On 12/27/2012 12:40 PM, Harold Pritchett wrote: If you want to do this on a regular basis, just script the whole thing, including a script called from /etc/rc.d/rc.local which checks for a semaphore file created by the first script and does the uncomment and mount -a if the first script has been run. That seems entirely unnecessary and pointlessly complex. As there doesn't seem to be any support for /etc/selinux/fixfiles_exclude_dirs in any production release of CentOS, the simplest option is to add noauto to the fstab entry for the volume and mount it after sysinit, possibly in rc.local. Perhaps that seems less onerous to me than it does to other people. I mount my home and backup filesystems after boot so that I don't need to store the encryption keys in order to allow unattended boot. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Excluding file systems from autorelabel
- Original Message - | What does matchpathcon /exports/foobar say after you add that rule? they all directories report none including /exports itself. -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier The smartest people are constantly revising their understanding, reconsidering a problem they thought they’d already solved. They’re open to new points of view, new information, new ideas, contradictions, and challenges to their own way of thinking. - Jeff Bezos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Excluding file systems from autorelabel
It is possible to use semanage to label the files correctly and to persist after reboot see man pages for FTP Hope this helps Russell On 26 Dec 2012, at 09:05, James A. Peltier jpelt...@sfu.ca wrote: I'm trying to find a way to exclude file systems during the autorelabel process. I have a file system (/exports) that has tens of millions of files on it and I *know* I don't want it relabeled. I've tried semanage fcontext -a -t none /exports(/.*)? and it seems to insist on relabeling that file system. I also tried to see if there was a /.autorelabel_exclude option as I saw some patches but can't seem to find indication of them anywhere (perhaps I missed it). I really need to make sure that I can exclude these massive directories if at all possible. Any help? -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier The smartest people are constantly revising their understanding, reconsidering a problem they thought they’d already solved. They’re open to new points of view, new information, new ideas, contradictions, and challenges to their own way of thinking. - Jeff Bezos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Excluding file systems from autorelabel
On 12/26/2012 01:05 AM, James A. Peltier wrote: I really need to make sure that I can exclude these massive directories if at all possible. The only way that appears to be available is to mark the filesystem noauto and mount it after the system has otherwise started. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Excluding file systems from autorelabel
- Original Message - | It is possible to use semanage to label the files correctly and to | persist after reboot see man pages for FTP | Hope this helps | Russell I'm really feeling dense today. I can't find anywhere in the FTP man page anything related to SELinux labels. I've google'd for stuff related to setting the context but that is NOT what I want to to. I want to strip the context entirely so that autorelabel won't look at the files and directories under exports and attempt to apply labels and I thought that semanage fcontext -a -t none /exports(/.*)? would do just that. It seems quite obvious that I'm either mistaken or that I'm missing another step. Once I do this must I also run restorecon or some other command? -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier The smartest people are constantly revising their understanding, reconsidering a problem they thought they’d already solved. They’re open to new points of view, new information, new ideas, contradictions, and challenges to their own way of thinking. - Jeff Bezos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
