Yes, that would be a problem. We do not attempt to use any special SELinux contexts for the directories (including home directories) which are mounted by autofs.
Andy On Mon, 2010-11-01 at 14:38 -0500, Paul Krizak wrote: > The problem is that we have NetApp file servers serving the NFS. And > trying to keep track of the SELinux context for each and every of our > mount would be insanity: > > [ska...@bonnie ~]$ ypcat -k auto.tool | wc -l > 3030 > [ska...@bonnie ~]$ ypcat -k auto.proj | wc -l > 1052 > [ska...@bonnie ~]$ ypcat -k auto.home | wc -l > 5137 > > And even if we *could* make that work using the context= mount option, > we would still have the problem that that context would apply all the > way up the NFS chain and would not apply properly to subdirs. What > about this: > > /proj/scratch (which is an automounted volume on a NetApp) would get > mounted with some particular context > > Now you've got /proj/scratch/<username> -- how do you apply the user's > own context to each of those <username> subdirs? > > The same could be said of project data -- for a given project directory, > you may have several different access permissions (reflected today with > UNIX ACL group ownership) that would fall apart if the entire tree was > suddenly forced to exist under a single context. > > Paul Krizak 7171 Southwest Pkwy MS B200.3A > MTS Systems Engineer Austin, TX 78735 > Advanced Micro Devices Desk: (512) 602-8775 > Linux/Unix Systems Engineering Cell: (512) 791-0686 > Global IT Infrastructure Fax: (512) 602-0468 > > On 11/01/10 13:58, Edward Rudd wrote: > > > > On Nov 1, 2010, at 14:17 , Andy Feldt wrote: > > > >> > >> On Mon, 2010-11-01 at 12:58 -0500, Paul Krizak wrote: > >>> If only SELinux worked properly with NFSv3 mounts (not even sure if it > >>> works with NFSv4) and autofs, we'd be trying to enable it too. > >> > >> Um, what doesn't work with NFSv3? We have been using NFSv3 with > >> autofs and SELinux in a mixed environment (RHEL5, Solaris 10, AIX 5) > >> without any problems. (Obviously, only RHEL5 is using SELinux.) > >> And, it worked fine on my test RHEL6 system, too. > > > > I believe his question may have been having a system sharing out the NFS > > to share out the selinux attributes as well.. As in a shared NFS home > > directory. > > > > Though from looking at the selinux FAQ it seems you can add a mount > > option of context= and change the selinux context. However that doesn't > > really help when a home directory needs to have several different > > contexts depending on where the file is within the home directory. > > > > Edward Rudd > > Lead Programmer > > Netfor, Inc. > > > > > > > > _______________________________________________ > rhelv6-beta-list mailing list > rhelv6-beta-list@redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-beta-list > _______________________________________________ rhelv6-beta-list mailing list rhelv6-beta-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-beta-list
