Hide Forgot
Created attachment 1128293 [details] Vagrantfile to demonstrate the problem and workaround Description of problem: When /etc/default/useradd is modified so HOME=/var/home there is no way to correctly label /var/home Version-Release number of selected component (if applicable): 3.13.1-60.el7_2.3.noarch How reproducible: Every time Steps to Reproduce: 1. sed -i'' -e 's_HOME=/home_HOME=/var/home_' /etc/default/useradd 2. semodule --build 3. semanage fcontext -a -e /var/home /home Actual results: $ /usr/sbin/matchpathcon /home /var/home /home/foo /var/home/foo /home system_u:object_r:default_t:s0 /var/home system_u:object_r:etc_runtime_t:s0 /home/foo system_u:object_r:default_t:s0 /var/home/foo system_u:object_r:default_t:s0 Expected results: $/usr/sbin/matchpathcon /home /var/home /home/foo /var/home/foo ==> default: /home system_u:object_r:home_root_t:s0 ==> default: /var/home system_u:object_r:home_root_t:s0 ==> default: /home/foo unconfined_u:object_r:user_home_dir_t:s0 ==> default: /var/home/foo unconfined_u:object_r:user_home_dir_t:s0 Additional info: I can work around the problem like this: $ sed -i'' \ -e 's_^/var/home_#/var/home_' \ -e 's_^/var/lib/xguest/home_#/var/lib/xguest/home_' \ /etc/selinux/targeted/contexts/files/file_contexts.subs_dist $ semanage fcontext -a -e /var/home /home || true $ semanage fcontext -a -e /var/home /var/lib/xguest/home || true $ semodule --build I have written a Vagrant file to demonstrate the problem and workaround. It and it's output are attached.
Created attachment 1128294 [details] Output of Vagrant up
I believe you should run genhomedircon after replacing HOME=/home for HOME=/var/home. # man genhomedircon | col -b | head -n 8 GENHOMEDIRCON(8) SELinux GENHOMEDIRCON(8) NAME genhomedircon - generate SELinux file context configuration entries for user home directories #
I tested running genhomedircon in place of the sed I used to modify file_contexts.subs_dist and it didn't help. I'll attach the vagrant file with this in place of my workaround and the output.
Created attachment 1130625 [details] Vagrantfile testing genhomedircon Milos Malik suggested at 2016-02-19 03:40:30 EST that I should be running genhomedircon. This is the Vagrantfile I used to test that theory.
Created attachment 1130626 [details] Output of Vagrant up using genhomedircon
The problem is your system is mislabeled. It works as expected on my system $ matchpathcon /var/home /var/home system_u:object_r:home_root_t:s0 $ matchpathcon /var/home/mgrepl /var/home/mgrepl unconfined_u:object_r:user_home_dir_t:s0 How did you install the system?
Miroslav Grepl, Can you demonstrate that you have modified /etc/default/useradd so that HOME=/var/home and then relabeled /var/home?
(In reply to Brad Guillory from comment #8) > Miroslav Grepl, Can you demonstrate that you have modified > /etc/default/useradd so that HOME=/var/home and then relabeled /var/home? I would like to see the first step. Why matchpathcon does not work for you if you run semanage fcontext -a -e /var/home /home What does # ls -dZ /home /var
Closing this as INSUFFICIENT_DATA. If you still facing this issue feel free to re-open this bug and provide info requiested in comment#9. Thanks.