Bug 119757 - SELinux FAQ - adding a new Linux user account
SELinux FAQ - adding a new Linux user account
Product: Fedora Documentation
Classification: Fedora
Component: selinux-faq (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karsten Wade
Tammy Fox
Depends On:
Blocks: 118757
  Show dependency treegraph
Reported: 2004-04-01 19:21 EST by Karsten Wade
Modified: 2007-04-18 13:05 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-04-05 10:35:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Karsten Wade 2004-04-01 19:21:44 EST
Description of change/FAQ addition.  If a change, include the original
text first, then the changed text:


## begin

On Thu, 2004-04-01 at 17:15, murphy pope wrote:
> How can I create a new Linux user account such that the home directory
> is assigned the proper context?
> I want to create a new user (fred).  
> I want fred's home directory to he located in the default location
> (/home/fred).  
> And I want the context for /home/fred to be:
> fred:user_r:user_home_dir_t.
> useradd doesn't work.  It seems to have two problems: 
>         1) If my context (when I run useradd fred) is
>         root:staff_r:staff_t, useradd sets the home directory to
>         root:object_r:home_root_t.

Basically don't run useradd (or do anything that in typical Linux/Unix
requires "root") as staff_r.  It's the loseness of the FC2 policy that
lets it even halfway work.

>         2) If my context is root:sysadm_r:sysadm_t, useradd sets the
>         home directory to root:object_r:user_home_dir_t
> Item 1 seems like a bug - why would it choose :home_root_t instead of
> :user_home_dir_t?
> In either case, the identity is wrong.  

The identity isn't really wrong in 2.  Sure, the SELinux user identity
component of the security context is "root", but that won't matter in
this case, since the user can't relabel their home directory anyways.

> 1) Why is this so bloody difficult? Can you really expect the average
> user/administrator to deal with problems like this?

We're working on a solution.

> 2) How can I create a new user whose home directory is assigned the
> proper identity?

Become root/sysadm_r, and run useradd.

> 3) How can I get a list of valid identities?

By identity I'm assuming you mean security context; you could egrep for
'^type ' in policy.conf I guess...

> 4) Can I add identities with a simple command (i.e. without
> recompiling the policy)?

Comment 1 Karsten Wade 2004-04-02 18:16:02 EST
This candidate FAQ entry was grabbed from the mailing list, the list
responder (Colin) is Cc:'d to this bug for a quick review of my
treatment below.  In particular I want to be sure my command line
syntax is a 100% accurate screenshot.

## begin

Q:. How can I create a new Linux user account with the user's home
directory having the proper context?

A:. You can create your new user with the standard useradd command,
but first you must become root with a context of sysadm_r. This
context switch has been incorporated into the su command:

su - root
 Your default context is root:sysadm_r:sysadm_t.
 Do you want to choose a different one? [n] n
useradd auser
ls -Z /home/auser
drwxr-xr-x  auser     auser     user_u:user_r:user_home_dir_t        

## 30
Comment 2 Ric Letson 2004-04-05 03:29:57 EDT
I know that many people have no interest in my opinion, but I'll offer
my input anway ;-)

A) doing a ls -Z /home/auser would list the contents of /home/auser 
with contexts not the directory itself. (in this case nothing, because
you didn't specify -a to show .dotfiles)

B) doing a ls -Z /home would list all of the user home directories
with contexts. (correct if you want to see the context of /home/auser)

C) the context you have listed does not match the default policies (at
least in policy.16), the output that my system generates with no
changes in the default policies on a FC2 Test 2 system is:

## begin
localhost login: root

Your default context is root:sysadm_r:sysadm_t.

Do you want to choose a different one? [n]
Last login: Mon Apr  5 2004 02:52:01 on tty1
[root@localhost]# useradd auser
[root@localhost]# ls -Z /home
drwx------ auser  auser  root:object_r:user_home_dir_t   /home/auser

## 30

Note: I have never seen a home directory labeled as
user_u:user_r:user_home_dir_t but have seen
system_u:object_r:user_home_dir_t. I don't know if this helps at all. 

I'm using:

Ric Letson
Comment 3 Ric Letson 2004-04-05 03:42:49 EDT
I didn't have policy.16 loaded when I posted the above comment and I
apologize. Having loaded policy.16 and done a 'fixfiles relabel', the
/home/auser directory was relabeled as system_u:object_r:user_home_dir_t

drwx------  auser    auser    system_u:object_r:user_home_dir_t auser

this is consistent with the rest of the home directories

Ric Letson
Comment 4 Colin Walters 2004-04-05 10:28:31 EDT
Karsten - the FAQ entry looks good to me.
Comment 5 Colin Walters 2004-04-05 10:35:12 EDT
Karsten - Actually Ric is right, the last line will look like this:

drwxr-xr-x  auser     auser     root:object_r:user_home_dir_t        

i.e. with "root" instead of user_u and object_r instead of user_r. 
(Sometimes you'll get system_u instead of root, but it's irrelevant)
Comment 6 Karsten Wade 2004-04-05 12:55:04 EDT
Gents, thanks for your keen eyes.  These are the details that matter.
 Fixed in 1.0-4, already posted.

Note You need to log in before you can comment on or make changes to this bug.