[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC] /var versus /srv



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andy Green wrote:
> Somebody in the thread at some point said:
> 
>>> SELinux doesn't care about file paths.  If the directories have the right
>>> context labels, it doesn't matter where they are.
>> You need more than the directories to be right. Sometimes the files inside the
> 
>> /var is hardcoded.
> 
> It doesn't consider file paths when examining what it was you wanted to
> touch to see if you can.
> 
> But when you create a file, by cp or whatever, it must use private
> knowledge about the specific path's "natural" context or it can't
> automagically label new files correctly based on where they were created.
> 
> Maybe it will be possible to adjust the policies to accept both
> /var/blah and /srv/blah, or via a bool.
> 
> -Andy
> 
sed 's/var/srv/g'  is easy.  But I have a feeling  sysadmins are going
to be much more complex than this.

I don't think rpm does a good job of choosing alternate locations for
the installed rpms.  This seems to be a bigger problem then worrying
about whether SELinux can put the proper file context in place.

If you set the directory context correctly the files created in the
directory will work.   So labeling /src/www and /var/www the same means
that apps creating files/directories in either will work exactly the same.

You need to use

semanage fcontext ...

To make sure file labeling remains after a relabel.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG+7gcrlYvE4MpobMRAjP9AJ9qsV/CELf/+OmD+S/SpfRHhDhPRgCgsOQT
7je6K5MrcpC3/rmd814kuno=
=cwvB
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]