[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: Filesystem module
From:       David Quigley <dpquigl () davequigley ! com>
Date:       2013-03-28 14:13:17
Message-ID: 10afc77cc74d7492ba83dcb1c1766747 () countercultured ! net
[Download RAW message or body]

On 03/26/2013 14:56, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/26/2013 12:56 PM, Christopher J. PeBenito wrote:
>> On 03/25/13 17:14, Rob Shelley wrote:
>>> I am evaluating OCFS2 on a CentOS 6.3 cluster and have run into a 
>>> little
>>> bit of a snag with SELinux.  After the OCFS2 partition is mounted 
>>> no
>>> writes can be performed to the shared device from either node 
>>> because
>>> they are being blocked by SELinux.  The core of the issue is that 
>>> the
>>> CentOS default policy does not list OCFS2 as a filesystem that 
>>> supports
>>> xattrs in filesystem.te.  It's a one line fix:
>>>
>>> fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0);
>>>
>>> However, it would seem that the only way to implement this change 
>>> in
>>> filesystem.te is by rebuilding the base policy.  (I have not found 
>>> a way
>>> to just reload the filesytem module of the base policy.)  And even 
>>> if
>>> there were an easy way to reload just the filesystem module of the 
>>> base
>>> policy I believe this would be overwritten if an update is 
>>> released.
>>>
>>> So, I was wondering if there was a way to incorporate this line 
>>> into a
>>> module, say ocfs2.te.  My initial attempts have failed, but I am 
>>> assuming
>>> that is because I do not have the correct dependencies listed in 
>>> the
>>> require section.
>>>
>>> Any suggestions?
>>
>> Unfortunately you can only add fs_use statements to the base module, 
>> so
>> you'd have to rebuild the base module.
>>
> You should be able to mount the file system with a single label.
>
> mount -o context="system_u..."
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlFR70gACgkQrlYvE4MpobNnFACglqXTfagTP1SGv4B48u40GcAR
> v6EAni59zLo5gElDUCDuVueMXSI/0Ek2
> =zKaF
> -----END PGP SIGNATURE-----
>
> --
> This message was distributed to subscribers of the selinux mailing 
> list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


Is there a reason that fs_use statements need to be in the base module 
other than its just how it is in the kernel and tool chain? Is that 
something that could be changed?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]