[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: Re: Filesystem module
From: David Quigley <dpquigl () davequigley ! com>
Date: 2013-03-28 14:13:17
Message-ID: 10afc77cc74d7492ba83dcb1c1766747 () countercultured ! net
[Download RAW message or body]
On 03/26/2013 14:56, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/26/2013 12:56 PM, Christopher J. PeBenito wrote:
>> On 03/25/13 17:14, Rob Shelley wrote:
>>> I am evaluating OCFS2 on a CentOS 6.3 cluster and have run into a
>>> little
>>> bit of a snag with SELinux. After the OCFS2 partition is mounted
>>> no
>>> writes can be performed to the shared device from either node
>>> because
>>> they are being blocked by SELinux. The core of the issue is that
>>> the
>>> CentOS default policy does not list OCFS2 as a filesystem that
>>> supports
>>> xattrs in filesystem.te. It's a one line fix:
>>>
>>> fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0);
>>>
>>> However, it would seem that the only way to implement this change
>>> in
>>> filesystem.te is by rebuilding the base policy. (I have not found
>>> a way
>>> to just reload the filesytem module of the base policy.) And even
>>> if
>>> there were an easy way to reload just the filesystem module of the
>>> base
>>> policy I believe this would be overwritten if an update is
>>> released.
>>>
>>> So, I was wondering if there was a way to incorporate this line
>>> into a
>>> module, say ocfs2.te. My initial attempts have failed, but I am
>>> assuming
>>> that is because I do not have the correct dependencies listed in
>>> the
>>> require section.
>>>
>>> Any suggestions?
>>
>> Unfortunately you can only add fs_use statements to the base module,
>> so
>> you'd have to rebuild the base module.
>>
> You should be able to mount the file system with a single label.
>
> mount -o context="system_u..."
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlFR70gACgkQrlYvE4MpobNnFACglqXTfagTP1SGv4B48u40GcAR
> v6EAni59zLo5gElDUCDuVueMXSI/0Ek2
> =zKaF
> -----END PGP SIGNATURE-----
>
> --
> This message was distributed to subscribers of the selinux mailing
> list.
> If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
Is there a reason that fs_use statements need to be in the base module
other than its just how it is in the kernel and tool chain? Is that
something that could be changed?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic