Chapter 5. Controlling and Maintaining SELinux


63


There is one good method for relabeling the file system. You may also hear about two other methods,


both of which are not recommended. Here they are in order:


1. The best and cleanest method to relabel is to let


init


do it for you on boot.


touch /.autorelabel


reboot


By allowing the relabeling to occur early in the reboot process, you ensure that applications have


the right labels when they are started and that they are started in the right order. If you relabel a


live file system without rebooting, you may have processes running under the incorrect context.


Making sure all the daemons are restarted and running in the right context can be difficult.


2. It is possible to relabel a live file system using


fixfiles


, or to relabel based on the RPM


database:


fixfiles relabel


fixfiles  R packagename restore


Using the ability of


fixfiles


to restore contexts from packages is safer and quicker.


Caution


Running fixfiles on the whole file system without rebooting may make the system unstable.


If the relabeling operation applies a new policy that is different from the policy that was in


place when the system booted, existing processes may be running in incorrect and insecure


domains. For example, a process could be in a domain that is not an allowed transition for that


process in the new policy, granting unexpected permissions to that process alone.


In addition, one of the options to fixfiles relabel prompts for approval to empty /tmp/


because it is not possible to reliably relabel /tmp/. Since fixfiles is run as root, temporary


files that applications are relying upon are erased. This could make the system unstable or


behave unexpectedly.


3. There is another method using the source policy. You want to avoid


make relabel


for the


same reason you avoid using


fixfiles


.


5.2.3. Managing NFS Home Directories


In Red Hat Enterprise Linux 4 most targeted daemons do not interact with user data and are not


affected by NFS mounted home directories. One exception is Apache HTTP. For example, CGI scripts


that are on the mounted file system have the


nfs_t


type, which is not a type


httpd_t


is allowed to


execute.


If you are having problems with the default type of


nfs_t


, try mounting the home directories with a


different context:


mount  t nfs  o context=user_u:object_r:user_home_dir_t \


fileserver.example.com:/shared/homes/ /home


Caution


Section 5.2.13 Specifying the Security Context of Entire File Systems explains how to mount a direc 


tory so that httpd is allowed to execute scripts. Doing that for user home directories gives Apache


HTTP increased access to those directories. Remember that a mountpoint label is for the entire


mounted file system.


Future versions of the SELinux policy address the functionality of NFS.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved