Bug 119757

Summary: SELinux FAQ - adding a new Linux user account
Product: [Fedora] Fedora Documentation Reporter: Karsten Wade <kwade>
Component: selinux-faqAssignee: Karsten Wade <kwade>
Status: CLOSED NEXTRELEASE QA Contact: Tammy Fox <tammy.c.fox>
Severity: medium Docs Contact:
Priority: medium    
Version: develCC: digitalcontrol, walters
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-04-05 14:35:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 118757    

Description Karsten Wade 2004-04-02 00:21:44 UTC 
Description of change/FAQ addition.  If a change, include the original
text first, then the changed text:

From
http://www.redhat.com/archives/fedora-selinux-list/2004-April/msg00017.html

## begin

On Thu, 2004-04-01 at 17:15, murphy pope wrote:
> How can I create a new Linux user account such that the home directory
> is assigned the proper context?
> 
> I want to create a new user (fred).  
> I want fred's home directory to he located in the default location
> (/home/fred).  
> And I want the context for /home/fred to be:
> fred:user_r:user_home_dir_t.
> 
> useradd doesn't work.  It seems to have two problems: 
>         1) If my context (when I run useradd fred) is
>         root:staff_r:staff_t, useradd sets the home directory to
>         root:object_r:home_root_t.

Basically don't run useradd (or do anything that in typical Linux/Unix
requires "root") as staff_r.  It's the loseness of the FC2 policy that
lets it even halfway work.

>         2) If my context is root:sysadm_r:sysadm_t, useradd sets the
>         home directory to root:object_r:user_home_dir_t
> 
> Item 1 seems like a bug - why would it choose :home_root_t instead of
> :user_home_dir_t?
> In either case, the identity is wrong.  

The identity isn't really wrong in 2.  Sure, the SELinux user identity
component of the security context is "root", but that won't matter in
this case, since the user can't relabel their home directory anyways.

> 1) Why is this so bloody difficult? Can you really expect the average
> user/administrator to deal with problems like this?

We're working on a solution.

> 2) How can I create a new user whose home directory is assigned the
> proper identity?

Become root/sysadm_r, and run useradd.

> 3) How can I get a list of valid identities?

By identity I'm assuming you mean security context; you could egrep for
'^type ' in policy.conf I guess...

> 4) Can I add identities with a simple command (i.e. without
> recompiling the policy)?

No.
Comment 1 Karsten Wade 2004-04-02 23:16:02 UTC 
This candidate FAQ entry was grabbed from the mailing list, the list
responder (Colin) is Cc:'d to this bug for a quick review of my
treatment below.  In particular I want to be sure my command line
syntax is a 100% accurate screenshot.

## begin

Q:. How can I create a new Linux user account with the user's home
directory having the proper context?

A:. You can create your new user with the standard useradd command,
but first you must become root with a context of sysadm_r. This
context switch has been incorporated into the su command:


su - root
 Your default context is root:sysadm_r:sysadm_t.
 Do you want to choose a different one? [n] n
useradd auser
ls -Z /home/auser
drwxr-xr-x  auser     auser     user_u:user_r:user_home_dir_t        
 /home/auser

## 30
Comment 2 Ric Letson 2004-04-05 07:29:57 UTC 
I know that many people have no interest in my opinion, but I'll offer
my input anway ;-)

A) doing a ls -Z /home/auser would list the contents of /home/auser 
with contexts not the directory itself. (in this case nothing, because
you didn't specify -a to show .dotfiles)

B) doing a ls -Z /home would list all of the user home directories
with contexts. (correct if you want to see the context of /home/auser)

C) the context you have listed does not match the default policies (at
least in policy.16), the output that my system generates with no
changes in the default policies on a FC2 Test 2 system is:

## begin
localhost login: root
Password:

Your default context is root:sysadm_r:sysadm_t.

Do you want to choose a different one? [n]
Last login: Mon Apr  5 2004 02:52:01 on tty1
[root@localhost]# useradd auser
[root@localhost]# ls -Z /home
drwx------ auser  auser  root:object_r:user_home_dir_t   /home/auser
[root@localhost]#

## 30

Note: I have never seen a home directory labeled as
user_u:user_r:user_home_dir_t but have seen
system_u:object_r:user_home_dir_t. I don't know if this helps at all. 


I'm using:
libselinux-1.9-1
policycoreutils-1.9.2-1
policy-1.9.2-9
kernel-2.6.4-1.305

Ric Letson
digitalcontrol
Comment 3 Ric Letson 2004-04-05 07:42:49 UTC 
I didn't have policy.16 loaded when I posted the above comment and I
apologize. Having loaded policy.16 and done a 'fixfiles relabel', the
/home/auser directory was relabeled as system_u:object_r:user_home_dir_t

drwx------  auser    auser    system_u:object_r:user_home_dir_t auser

this is consistent with the rest of the home directories

Ric Letson
digitalcontrol
Comment 4 Colin Walters 2004-04-05 14:28:31 UTC 
Karsten - the FAQ entry looks good to me.
Comment 5 Colin Walters 2004-04-05 14:35:12 UTC 
Karsten - Actually Ric is right, the last line will look like this:

drwxr-xr-x  auser     auser     root:object_r:user_home_dir_t        
 /home/auser

i.e. with "root" instead of user_u and object_r instead of user_r. 
(Sometimes you'll get system_u instead of root, but it's irrelevant)
Comment 6 Karsten Wade 2004-04-05 16:55:04 UTC 
Gents, thanks for your keen eyes.  These are the details that matter.
 Fixed in 1.0-4, already posted.