Alan M. Evans wrote:
On Wed, 2006-05-31 at 10:19, Paul Howarth wrote:
It appears that there is no easy fix for this problem, other than moving
the data somewhere other than under /home:
http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00253.html
That's a pity. As I said before, /home is convenient for me since that
partition is large and won't ever be formatted during future upgrades or
installs. /home/pgsql seemed obvious to me since both the database and
the home directories share these requirements.
Another possibility you might consider (particularly if you have /home
on LVM) might be to shrink /home and use the released space for a
separate /srv filesystem, which you could manage in the same way as
/home, not formatting it during upgrades etc. Your database data could
then be put under /srv/pgsql (where it arguably should be by default in
the package) instead of /home/pgsql and there would be no issue with
home directory contexts.
In any case, in your reply to the message linked above, you say:
If it was me I'd just bind mount /home/pgsql on /var/lib/pgsql
and there wouldn't be an issue...
And so I wonder: How does bind-mounting help me as regards default
contexts?
If I place data in /home/pgsql and bind-mount /var/lib/pgsql, then what
is the default context for pgsql? It depends on where restorecon was
run. If "restorecon -R /home" then pgsql will be set to the wrong
context; if "restorecon -R /var/lib" then it will be correct. And if,
for some reason, the entire filesystem gets relabelled, how do I know
which one it will get? I don't see what bind-mounting gains me anything
over my current predicament.
You are right (and it illustrates an issue with path-based security). If
the system was relabelled, it'd be pot luck whether the /home/pgsql or
/var/lib/pgsql contexts were applied. The advantages of doing the bind
mount are:
1. No tweaks to policy are needed because everything is where it's
expected to be.
2. In the event of having to relabel the system and the contexts getting
screwed up, all of the different contexts can be restored in one go with
the single command "restorecon -Rv /var/lib/pgsql", as opposed to having
to do different chcon commands for each different context that's needed.
Finally, it's working for me now, thanks to you. I will leave it all as
is and lurk the selinux list and quietly learn. Perhaps a better
solution to the default context issue will be discovered or implemented.
I've not given up on this yet; see fedora-selinux-list.
Paul.
