Hi Jan, Jarek,
On Mon, 2 May 2005, Jan Iven wrote:
> On Mon, 2005-05-02 at 10:13, Stephan Wiesand wrote:
> ..
>> No, it doesn't. It looks as though an "echo 0 >>/selinux/enforce" does,
>> though. Is SELinux enabled and set to enforcing on your test system?
>
> enabled+enforcing, but in 'targeted' mode only.
Same here. That's enough to make mv's from of files from /tmp with
the default context (set upon the touch in jarek's example) into AFS fail.
It's not an openafs issue, I believe.
And it's a feature, not a bug. From RH's SELinux Guide:
mv The file retains its original label. This may cause
problems, confusion, or minor insecurity.
cp A plain copy creates the new file following the
default behavior based on the domain of the
creating process (cp) and the type of the target
directory.
cp -Z user:role:type The new file is relabeled as it is created based on
the command line option. The extended GNU option
--context is the same as -Z.
And indeed cp from /tmp to afs succeeds, while cp -Z fails. It's just
that w.r.t. SELinux contexts, cp (behaving like touch, even with the -a
switch) and mv have different default semantics
>> Is anyone reading this sufficiently familiar with SELinux to know
>> how to cope with this yet? I'm afraid AFS won't have extended attributes
>> anytime soon...
>
> Are not necessarily required, the
> genfs_contexts mechanism from /etc/selinux/targeted/src/policy should be
> enough. Somebody already had put together a "policy" for AFS clients:
>
> https://lists.openafs.org/pipermail/openafs-info/2003-January/007817.html
Eventually, having such a policy for SL would probably be good. But I'm
far from understanding SELinux well enough to implement or even try
anything...
Cheers,
Stephan
--
----------------------------------------------------
| Stephan Wiesand | |
| | |
| DESY - DV - | phone +49 33762 7 7370 |
| Platanenallee 6 | fax +49 33762 7 7216 |
| 15738 Zeuthen | |
| Germany | |
----------------------------------------------------
|