| Summary: | /var/home /home in file_contexts.subs_dist harmful when adduser HOME default changed to /var/home | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Brad Durrow <brad+rhbz> | ||||||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||||
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||||||
| Severity: | unspecified | Docs Contact: | |||||||||||
| Priority: | unspecified | ||||||||||||
| Version: | 7.4 | CC: | brad+rhbz, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde | ||||||||||
| Target Milestone: | rc | Flags: | mgrepl:
needinfo?
(brad+rhbz) |
||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | Unspecified | ||||||||||||
| OS: | Unspecified | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2017-04-10 07:35:38 UTC | Type: | Bug | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Attachments: |
|
||||||||||||
Created attachment 1128294 [details]
Output of Vagrant up
I believe you should run genhomedircon after replacing HOME=/home for HOME=/var/home.
# man genhomedircon | col -b | head -n 8
GENHOMEDIRCON(8) SELinux GENHOMEDIRCON(8)
NAME
genhomedircon - generate SELinux file context configuration entries for
user home directories
#
I tested running genhomedircon in place of the sed I used to modify file_contexts.subs_dist and it didn't help. I'll attach the vagrant file with this in place of my workaround and the output. Created attachment 1130625 [details]
Vagrantfile testing genhomedircon
Milos Malik suggested at 2016-02-19 03:40:30 EST that I should be running genhomedircon. This is the Vagrantfile I used to test that theory.
Created attachment 1130626 [details]
Output of Vagrant up using genhomedircon
The problem is your system is mislabeled. It works as expected on my system $ matchpathcon /var/home /var/home system_u:object_r:home_root_t:s0 $ matchpathcon /var/home/mgrepl /var/home/mgrepl unconfined_u:object_r:user_home_dir_t:s0 How did you install the system? Miroslav Grepl, Can you demonstrate that you have modified /etc/default/useradd so that HOME=/var/home and then relabeled /var/home? (In reply to Brad Guillory from comment #8) > Miroslav Grepl, Can you demonstrate that you have modified > /etc/default/useradd so that HOME=/var/home and then relabeled /var/home? I would like to see the first step. Why matchpathcon does not work for you if you run semanage fcontext -a -e /var/home /home What does # ls -dZ /home /var Closing this as INSUFFICIENT_DATA. If you still facing this issue feel free to re-open this bug and provide info requiested in comment#9. Thanks. |
Created attachment 1128293 [details] Vagrantfile to demonstrate the problem and workaround Description of problem: When /etc/default/useradd is modified so HOME=/var/home there is no way to correctly label /var/home Version-Release number of selected component (if applicable): 3.13.1-60.el7_2.3.noarch How reproducible: Every time Steps to Reproduce: 1. sed -i'' -e 's_HOME=/home_HOME=/var/home_' /etc/default/useradd 2. semodule --build 3. semanage fcontext -a -e /var/home /home Actual results: $ /usr/sbin/matchpathcon /home /var/home /home/foo /var/home/foo /home system_u:object_r:default_t:s0 /var/home system_u:object_r:etc_runtime_t:s0 /home/foo system_u:object_r:default_t:s0 /var/home/foo system_u:object_r:default_t:s0 Expected results: $/usr/sbin/matchpathcon /home /var/home /home/foo /var/home/foo ==> default: /home system_u:object_r:home_root_t:s0 ==> default: /var/home system_u:object_r:home_root_t:s0 ==> default: /home/foo unconfined_u:object_r:user_home_dir_t:s0 ==> default: /var/home/foo unconfined_u:object_r:user_home_dir_t:s0 Additional info: I can work around the problem like this: $ sed -i'' \ -e 's_^/var/home_#/var/home_' \ -e 's_^/var/lib/xguest/home_#/var/lib/xguest/home_' \ /etc/selinux/targeted/contexts/files/file_contexts.subs_dist $ semanage fcontext -a -e /var/home /home || true $ semanage fcontext -a -e /var/home /var/lib/xguest/home || true $ semodule --build I have written a Vagrant file to demonstrate the problem and workaround. It and it's output are attached.