Being a regular user of selinux, I often face situations where some common directories (es: /var/log or /var/lib) needs to be redirected to other partitions/volumes.
I very simple approach, without impacting selinux at all, is to mount a volume in the precise path I need to replace - ie mount /dev/vg_test/lv_lib in /var/lib. However, this is a one-volume-for-directory approach and I would like to avoid it.
The other possibility is to create single big volume with multiple directories, mount it, and
1) symlink the original dir (ie: /var/log) to the new one (ie: /mnt/volume/var/log); 2) use a bind mount to re-mount the destination dir (/mnt/volume/var/log) on the original one (/var/log).
The symlink approach is self-explaining, as anyone listing the original directory will immediately notice it. However, it sometime require extensive customization of the selinux policy, a thing I try hard to avoid.
The bind mount approach is somewhat simpler from selinux standpoint, but it much less discoverable by a simple "ls".
What do you feel is the preferred approach? I am missing something? Thanks.
Am 25.11.2017 um 19:10 schrieb Gionatan Danti:
Being a regular user of selinux, I often face situations where some common directories (es: /var/log or /var/lib) needs to be redirected to other partitions/volumes.
I very simple approach, without impacting selinux at all, is to mount a volume in the precise path I need to replace - ie mount /dev/vg_test/lv_lib in /var/lib. However, this is a one-volume-for-directory approach and I would like to avoid it.
The other possibility is to create single big volume with multiple directories, mount it, and
- symlink the original dir (ie: /var/log) to the new one (ie:
/mnt/volume/var/log); 2) use a bind mount to re-mount the destination dir (/mnt/volume/var/log) on the original one (/var/log).
The symlink approach is self-explaining, as anyone listing the original directory will immediately notice it. However, it sometime require extensive customization of the selinux policy, a thing I try hard to avoid.
Did you use the equivalence option of semanage fcontext for /mnt/volume/var/log?
semanage fcontext -a -e /home /mnt/volume/var/log
see also: https://danwalsh.livejournal.com/27571.html
- Thomas
On 26/11/2017 17:44, Thomas Mueller wrote:
Did you use the equivalence option of semanage fcontext for /mnt/volume/var/log?
semanage fcontext -a -e /home /mnt/volume/var/log
see also: https://danwalsh.livejournal.com/27571.html
- Thomas
Hi Thomas, this surely is a very good idea. Right now I am doing a limited use of the equivalence policy; thank you for the reminder.
However, some selinux policies (for example, the MariaDB/MySQL one) will *not* permit to read/follow symlinks, and this blocks the process from running correctly.
With your proposal, I need to a) establish equivalence between /var/lib/mysql and /mnt/volume/var/lib/mysql and b) reconfigure MariaDB to point at /mnt/volume/var/lib/mysql.
When moving "busy" directories as /var/lib and /var/log, I would avoid the need to reconfigure each service using them to point to the new subdirectory.
Thanks.
On Sat, 2017-11-25 at 19:10 +0100, Gionatan Danti wrote:
Being a regular user of selinux, I often face situations where some common directories (es: /var/log or /var/lib) needs to be redirected to other partitions/volumes.
I very simple approach, without impacting selinux at all, is to mount a volume in the precise path I need to replace - ie mount /dev/vg_test/lv_lib in /var/lib. However, this is a one-volume-for-directory approach and I would like to avoid it.
The other possibility is to create single big volume with multiple directories, mount it, and
- symlink the original dir (ie: /var/log) to the new one (ie:
/mnt/volume/var/log); 2) use a bind mount to re-mount the destination dir (/mnt/volume/var/log) on the original one (/var/log).
The symlink approach is self-explaining, as anyone listing the original directory will immediately notice it. However, it sometime require extensive customization of the selinux policy, a thing I try hard to avoid.
The bind mount approach is somewhat simpler from selinux standpoint, but it much less discoverable by a simple "ls".
What do you feel is the preferred approach? I am missing something? Thanks.
I prefer bind mounts (along with file context equivalence to ensure that the source directory is correctly labeled), but there are tradeoffs of course.
WRT to the impact on SELinux policy, this perhaps points to an unnecessary fragility in policy that could be addressed through better macros/interfaces.
On 27/11/2017 19:47, Stephen Smalley wrote:
I prefer bind mounts (along with file context equivalence to ensure that the source directory is correctly labeled), but there are tradeoffs of course.
WRT to the impact on SELinux policy, this perhaps points to an unnecessary fragility in policy that could be addressed through better macros/interfaces.
Hi all, I bump this old thread because I have troubles relocating MongoDB due to its selinux policy dening symlink access.
Goal: to relocate /var/lib/mongo to /tank/graylog/var/lib/mongo/ with minimal alteration to the original selinux policy.
What I did: semanage fcontext -a -e /var/lib/mongo /tank/graylog/var/lib/mongo mv /var/lib/mongo /tank/graylog/var/lib/mongo ln -s /tank/graylog/var/lib/mongo /var/lib/mongo restorecon /var/lib/mongo systemctl restart mongod
Result: MongoDB does not start. Issuing "cat /var/log/audit/audit.log | audit2allow" show the following error: "allow mongod_t mongod_var_lib_t:lnk_file read;"
Questions: - apart from reconfiguring MongoDB to directly point to the new location, what else I can do (short to create a custom selinux policy) to allow access to /var/lib/mongo symlink? - why is lnk_file read denied by default in some policies (ie: MongoDB, MySQL, libvirt, etc)?
Thanks.
On 24/04/2018 19:27, Gionatan Danti wrote:
Hi all, I bump this old thread because I have troubles relocating MongoDB due to its selinux policy dening symlink access.
Goal: to relocate /var/lib/mongo to /tank/graylog/var/lib/mongo/ with minimal alteration to the original selinux policy.
What I did: semanage fcontext -a -e /var/lib/mongo /tank/graylog/var/lib/mongo mv /var/lib/mongo /tank/graylog/var/lib/mongo ln -s /tank/graylog/var/lib/mongo /var/lib/mongo restorecon /var/lib/mongo systemctl restart mongod
Result: MongoDB does not start. Issuing "cat /var/log/audit/audit.log | audit2allow" show the following error: "allow mongod_t mongod_var_lib_t:lnk_file read;"
Questions:
- apart from reconfiguring MongoDB to directly point to the new
location, what else I can do (short to create a custom selinux policy) to allow access to /var/lib/mongo symlink?
- why is lnk_file read denied by default in some policies (ie: MongoDB,
MySQL, libvirt, etc)?
Hi all, any thoughts on the matter?
Thanks.
selinux@lists.fedoraproject.org