SELinux last straw
Les Mikesell
lesmikesell at gmail.com
Wed Oct 17 20:07:11 UTC 2007
Andy Green wrote:
> If you can't see the pam config or resolv.conf on an unknown box you
> don't know what will work either until you start trying and look.
Those don't have much to do with file access control.
> Permissive was useful for me to gingerly add selinux to a remote box
> that never had it before, the box couldn't be killed but I could learn
> where the issues were (a handful, FWIW). I turned it straight to
> enforcing and rebooted and fixed them up.
>
> The one golden rule I found seems to be to do with avoiding mv and using
> cp when introducing files to a new selinux directory tree. So if you
> created files in ~ and mv them to /var/www/html, because it is done by
> shifting inodes around and not creating files, they will retain the home
> directory related selinux label and make trouble. If you cp'd them
> over, new files are created in the new directory context, they will have
> httpd-related labels.
Does that mean some backup/restore methods work and some don't? My
preference for almost all copy/move operations is rsync because it is
pretty much the same regardless of whether the source/dest are local or
not. Will it work in the case where both are local? What happens when
they aren't?
--
Les Mikesell
lesmikesell at gmail.com
More information about the fedora-list
mailing list