[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ssh clarification needed





Bill Davidsen wrote:
> 
> 
>>   The general recomendation for any laptop (with anything sufficiently
>> private) is to encrypt the disk. My preference is to (luks) encrypt
>> /home and swap and then bind mount /tmp and /var/tmp out of /home/tmp
>> /home/var/tmp. You could encrypt root as well and then skip the bind
>> mounts.
>> 
> My experience with bind mounts is that they tend to make SElinux complain
> a lot. 
> I have one system which mounts my personal home directory out of 
> /mnt/other/home/username by bind mounting it to /home/username. SElinux
> has a 
> litany of complaints, to the point that I spent hours telling it to ignore 
> things. On FC9, if it matters.
> 
> 

Did you check the contexts on /mnt/other/home and the /username directory
underneath it?

I do exactly this except that I bind mount /opt/Local/home to /home I make
sure that the context for /opt/Local/home is the same as /home would
normally have, and then make sure the user directories have
system_u:object_r:user_home_dir_t

Within that the the user areas are generally user_home_t except for the
special contexts for thing like bin, .mozilla and so on.

With that scheme I had no avc denials or complaints from SELinux in either
f9 or f10 so far.... but the key is getting all the contexts correct.
-- 
View this message in context: http://www.nabble.com/ssh-clarification-needed-tp21274919p21319442.html
Sent from the Fedora List mailing list archive at Nabble.com.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]