Chapter 5. Controlling and Maintaining SELinux
63
There is one good method for relabeling the file system. You may also hear about two other methods,
both of which are not recommended. Here they are in order:
1. The best and cleanest method to relabel is to let
init
do it for you on boot.
touch /.autorelabel
reboot
By allowing the relabeling to occur early in the reboot process, you ensure that applications have
the right labels when they are started and that they are started in the right order. If you relabel a
live file system without rebooting, you may have processes running under the incorrect context.
Making sure all the daemons are restarted and running in the right context can be difficult.
2. It is possible to relabel a live file system using
fixfiles
, or to relabel based on the RPM
database:
fixfiles relabel
fixfiles R packagename restore
Using the ability of
fixfiles
to restore contexts from packages is safer and quicker.
Caution
Running fixfiles on the whole file system without rebooting may make the system unstable.
If the relabeling operation applies a new policy that is different from the policy that was in
place when the system booted, existing processes may be running in incorrect and insecure
domains. For example, a process could be in a domain that is not an allowed transition for that
process in the new policy, granting unexpected permissions to that process alone.
In addition, one of the options to fixfiles relabel prompts for approval to empty /tmp/
because it is not possible to reliably relabel /tmp/. Since fixfiles is run as root, temporary
files that applications are relying upon are erased. This could make the system unstable or
behave unexpectedly.
3. There is another method using the source policy. You want to avoid
make relabel
for the
same reason you avoid using
fixfiles
.
5.2.3. Managing NFS Home Directories
In Red Hat Enterprise Linux 4 most targeted daemons do not interact with user data and are not
affected by NFS mounted home directories. One exception is Apache HTTP. For example, CGI scripts
that are on the mounted file system have the
nfs_t
type, which is not a type
httpd_t
is allowed to
execute.
If you are having problems with the default type of
nfs_t
, try mounting the home directories with a
different context:
mount t nfs o context=user_u:object_r:user_home_dir_t \
fileserver.example.com:/shared/homes/ /home
Caution
Section 5.2.13 Specifying the Security Context of Entire File Systems explains how to mount a direc
tory so that httpd is allowed to execute scripts. Doing that for user home directories gives Apache
HTTP increased access to those directories. Remember that a mountpoint label is for the entire
mounted file system.
Future versions of the SELinux policy address the functionality of NFS.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved