[rhelv6-beta-list] SSH via key from RHEL5 to RHEL6?

Andy Feldt feldt at nhn.ou.edu
Mon Nov 1 20:01:23 UTC 2010 

Yes, that would be a problem.  We do not attempt to
use any special SELinux contexts for the directories
(including home directories) which are mounted by
autofs.

Andy

On Mon, 2010-11-01 at 14:38 -0500, Paul Krizak wrote:
> The problem is that we have NetApp file servers serving the NFS.  And 
> trying to keep track of the SELinux context for each and every of our 
> mount would be insanity:
> 
> [skaven at bonnie ~]$ ypcat -k auto.tool | wc -l
>     3030
> [skaven at bonnie ~]$ ypcat -k auto.proj | wc -l
>     1052
> [skaven at bonnie ~]$ ypcat -k auto.home | wc -l
>     5137
> 
> And even if we *could* make that work using the context= mount option, 
> we would still have the problem that that context would apply all the 
> way up the NFS chain and would not apply properly to subdirs.  What 
> about this:
> 
> /proj/scratch (which is an automounted volume on a NetApp) would get 
> mounted with some particular context
> 
> Now you've got /proj/scratch/<username> -- how do you apply the user's 
> own context to each of those <username> subdirs?
> 
> The same could be said of project data -- for a given project directory, 
> you may have several different access permissions (reflected today with 
> UNIX ACL group ownership) that would fall apart if the entire tree was 
> suddenly forced to exist under a single context.
> 
> Paul Krizak                         7171 Southwest Pkwy MS B200.3A
> MTS Systems Engineer                Austin, TX  78735
> Advanced Micro Devices              Desk:  (512) 602-8775
> Linux/Unix Systems Engineering      Cell:  (512) 791-0686
> Global IT Infrastructure            Fax:   (512) 602-0468
> 
> On 11/01/10 13:58, Edward Rudd wrote:
> >
> > On Nov 1, 2010, at 14:17 , Andy Feldt wrote:
> >
> >>
> >> On Mon, 2010-11-01 at 12:58 -0500, Paul Krizak wrote:
> >>> If only SELinux worked properly with NFSv3 mounts (not even sure if it
> >>> works with NFSv4) and autofs, we'd be trying to enable it too.
> >>
> >> Um, what doesn't work with NFSv3? We have been using NFSv3 with
> >> autofs and SELinux in a mixed environment (RHEL5, Solaris 10, AIX 5)
> >> without any problems. (Obviously, only RHEL5 is using SELinux.)
> >> And, it worked fine on my test RHEL6 system, too.
> >
> > I believe his question may have been having a system sharing out the NFS
> > to share out the selinux attributes as well.. As in a shared NFS home
> > directory.
> >
> > Though from looking at the selinux FAQ it seems you can add a mount
> > option of context= and change the selinux context. However that doesn't
> > really help when a home directory needs to have several different
> > contexts depending on where the file is within the home directory.
> >
> > Edward Rudd
> > Lead Programmer
> > Netfor, Inc.
> >
> >
> >
> 
> _______________________________________________
> rhelv6-beta-list mailing list
> rhelv6-beta-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhelv6-beta-list
>

More information about the rhelv6-beta-list mailing list