Advice for installing test2 if you are going to be saving files

[Russell Coker]

On Sun, 4 Apr 2004 17:52, Brian Bober <netdemonz at yahoo.com> wrote:
> --- Russell Coker <russell at coker.com.au> wrote:
> > they have the same policy.  If one installation of SE Linux has a user
> > entry for account netdemonz then any files you create will have the
> > context netdemonz:object_r:user_home_t (or something similar).  If you
> > then boot a copy of SE Linux without a user entry for netdemonz then
> > those files will be unlabeled (and not accessible to non admin users).
>
> This won't mean that if you are trying to recover a disk that won't boot,
> or something, that you might not have access to your stuff if you can't

If you are recovering a damaged installation then you will do so as 
sysadm_r:sysadm_t, and therefore you can access all files.

One thing to note about recovery is that there may be files with bad labels.  
For example if a machine has a file in a user home dir with type 
chkpwd_exec_t or the type of some other file that will trigger a transition 
to a domain that has access to /etc/shadow then it's a problem.  Like having 
a SETUID root binary.  Of course if you mount it in single-user mode it won't 
necessarily be an issue, and you can use the context= mount option.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page