Bug 658532
Summary: | restorecond doesn't work for user home directories on a server | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Chris Adams <linux> |
Component: | policycoreutils | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.0 | CC: | dwalsh, mmalik, syeghiay |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-06 15:29:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Chris Adams
2010-11-30 16:33:17 UTC
You can add ~/* ~/public_html/* ~/.ssh/* To /etc/selinux/restorecond.conf And run the restorecond as a service and it will watch for those files/directories as they are created. Or the admin/user can run restorecon them selves. I have thought about running restorecond as a user session via bashrc, but I have the problem of cleaning up the process when the user logs out. Imagine a user logging into the same machine twice, and logging out. Ahh, I didn't realize it still supported ~/foo in the main conf (I thought -u was in place of that). However, it doesn't seem to be working for me. Running "restorecond -d" under strace, when I create ~/public_html, I see restorecond get the inotify message. It lstat()s it, lgetxattr()s it (which shows user_home_t), and then goes back to waiting for inotify messages. It doesn't change the context of public_html. I added the following to /etc/selinux/restorecond.conf: ~/* ~/public_html/* ~/.ssh/* I understand how much "fun" it can be to run things for shell users (with no actual session manager). Maybe a PAM session module that signaled the system daemon (which would then work for SSH, FTP, telnet, getty logins, etc.) could work. I think I have this fixed in Rawhide. After I check it out for a couple of weeks I will back port it to RHEL6. This issue was proposed for RHEL 6.1 FasTrack but did not get resolved in time. It has been moved to RHEL 6.2 FasTrack. Fixed in policycoreutils-2.0.83-33.3.el6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1637.html |