[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux - a question about external drive after upgrade



Mike wrote:
> Daniel J Walsh <dwalsh <at> redhat.com> writes:
> 
>> If you are going to be moving this disk back and forth between selinux
>> enabled and disabled machines, and the files back and forth on the disk,
>> you really should use a context mount on the SELinux platform to ignore
>> labels on the disk.
> 
> I hope not to do so but could envisage a need very occasionally.
> 
> The other thing I note is that reading "man mount" gives options
> context, fscontext and defcontext - on the first time I do this I am 
> unclear as to whether a fsmount with the appropriate context would then
> set up the existing filesystem with the new context, and then using
> rsync -aXH from another machine on the LAN to re-write the files on the
> drive attached to the desktop would then correctly assign the backup files
> with the same contexts as on the source laptop?
> 
> That way presumably only the filesystem would have contexts until individual
> files were overwritten during the rsync backup? Using restorecon before this
> would presumably then write contexts into all files on the backup drive, 
> which I usually have in a number of different directories to house backups
> from a number of different machines.
> 
> It would be nice to understand enough so that I have a chance to get it right
> once I do this for real after upgrading the main machine.
> 
> The other question I am unsure about is once the external drive has been
> correctly mounted and a context assigned, and a set of backup files written
> with contexts - then the next time I plug in the drive would it be mounted
> automatically with the contexts visible - or would I have to mount it
> "manually" with the appropriate context options?
> 
If you mount with a "context=" flag no context will get placed on the disk.

You may/probably do not want the files on this backup to have the
labels, and often are better off calling restorecon when placing them
back on disk.  If you have different policies on different machines, the
layout of file  context maybe different and in some cases the types on
one machine might not be understood on another.

By placing the files back on a machine and running restorecon, you are
saying that you want the files labeled according to the policy of the
current machine.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]